Linux IPTables Firewall 1.4.14


What is iptables?

iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators.
Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too.
The iptables package also includes ip6tablesip6tables is used for configuring the IPv6 packet filter.

Dependencies

iptables requires a kernel that features the ip_tables packet filter. This includes all 2.4.x and 2.6.x kernel releases.

Main Features

  • listing the contents of the packet filter ruleset
  • adding/removing/modifying rules in the packet filter ruleset
  • listing/zeroing per-rule counters of the packet filter ruleset

Git Tree

The current development version of iptables can be accessed at https://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=summary.


iptables Releases

2012-May-26: iptables-1.4.14


ChangeLog
iptables-1.4.14.tar.bz2 GPG signature (key) : md5sum 5ab24ad683f76689cfe7e0c73f44855d
Patch against 1.4.14 GPG signature : md5sum 3662d600d9ed2b18b44a8e18c633a3c8

Operational summary

Xtables allows the system administrator to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by sequentially traversing the rules in chains. A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a “call”, i.e. the point that was jumped from is remembered.) Every network packet arriving at or leaving from the computer traverses at least one chain.

Packet flow paths. Packets start at a given box and will flow along a certain path, depending on the circumstances.
The origin of the packet determines which chain it traverses initially. There are five predefined chains (mapping to the five available Netfilter hooks), though a table may not have all chains. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.
  • “PREROUTING”: Packets will enter this chain before a routing decision is made.
  • “INPUT”: Packet is going to be locally delivered. (N.B.: It does not have anything to do with processes having a socket open. Local delivery is controlled by the “local-delivery” routing table: `ip route show table local`.)
  • “FORWARD”: All packets that have been routed and were not for local delivery will traverse this chain.
  • “OUTPUT”: Packets sent from the machine itself will be visiting this chain.
  • “POSTROUTING”: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict(one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for. These can happen for about any layer in the OSI model, as with e.g. the --mac-source and -p tcp --dport parameters, and there are also protocol-independent matches, such as -m time.
The packet continues to traverse the chain until either
  1. a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of the ACCEPT or DROP, or a module returning such an ultimate fate; or
  2. a rule calls the RETURN verdict, in which case processing returns to the calling chain; or
  3. the end of the chain is reached; traversal either continues in the parent chain (as if RETURN was used), or the base chain policy, which is an ultimate fate, is used.
Targets also return a verdict like ACCEPT (NAT modules will do this) or DROP (e.g. the “REJECT” module), but may also imply CONTINUE (e.g. the "LOG" module; CONTINUE is an internal name) to continue with the next rule as if no target/verdict was specified at all.
Source -
For Detailed Documentation -