This is paraphrased, in part, from the PacketFiltering? HowTo, which can probably be found somewhere on the Wiki, but should be read at

What are packets?

For firewalling, all you need to know is that a transmission is broken up (encapsulated) into a number of packets, each with a header containing information on the type of packet, it's source address and port, eventual destination address and port, and other flags.

What is packet filtering?

Packet filtering (netfilter) is part of the Linux kernel. You need to ensure your kernel is compiled with CONFIG_NETFILTER enabled (and that you're running 2.3.15 onwards.) Then you'll need to make sure that CONFIG_IP_NF_IPTABLES is modular and/or compiled into the kernel.

netfilter allows you to define 'callback functions' - functions that are called every time a network packet is processed by the system. You don't have to deal with it at a low level however - there's an entire infrastructure provided called iptables.

What is iptables?

iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (things that will cause a packet to match) and one connected action (target).

The tool that influences the kernel's filtering rules is called iptables(8). (You may have seen other documentation referencing ipchains or ipfwadm. In 2.2 series kernels you used ipchains(8), in 2.0 series kernels you used ipfwadm(8). Documents that talk of either are too old to help specifically, but the concepts will still apply. If you really have to use ipchains/ipfwadm rules, you can compile support for them into the kernel, but not alongside iptables. It's one or the other.)

Packet filtering also provides transparent proxying, masquerading (NetworkAddressTranslation), and anything else related to rewriting packets.

netfilter, iptables and the connection tracking as well as the NAT subsystems together build the whole framework.

Main Features

  • stateful packet filtering (connection tracking)
  • all kinds of network address translation
  • flexible and extensible infrastructure
  • large number of additional features as patches

What can I do with netfilter/iptables ?

  • build internet firewalls based on stateless and stateful packet filtering
  • use NAT and masquerading for sharing internet access where you don't have enough addresses
  • use NAT for implementing transparent proxies
  • build sophisticated QualityOfService routers
  • do further packet manipulation (mangling) like altering the TOS (TypeOfService) field of the IP header
  • Log errant packets for closer inspection later.

Permanence of rules

The kernel boots up with no firewalling rules. If you manually add a rule with iptables(8), it will not be there next time you boot. You will need a firewall script that runs on boot.

What are chains?

A chain is a checklist of rules. Each rule says `if the packet header looks like this, then here's what to do with the packet'. If the rule doesn't match the packet, then the next rule in the chain is consulted. Finally, if there are no more rules to consult, then the kernel looks at the chain policy to decide what to do. In a security-conscious system, this policy usually tells the kernel to DROP or REJECT the packet. You can create your own chains.

What are tables?

A table is a collection of chains that perform a related task such as filtering, address rewriting (nat) or modifying packet charactoristics (mangle). You cannot create your own tables without modifying the kernel.

The kernel starts out with three chains in the "filter" (main) table: INPUT, FORWARD and OUTPUT.

                           _ _ _
 Incoming                 /     \        Outgoing
       -->[[Routing ]--->|FORWARD|------->
          [[Decision]     \_ _ _/        ^
               |                        |
               v                      _ _
              _ _                    /    \
             /   \                  |OUTPUT|
            |INPUT|                  \_ _ /
             \_ _/                      ^
               |                        |
                ----> Local Process ----

The three circles represent the three chains. When a packet reaches a circle in the diagram, that chain is examined to decide the fate of the packet. If the chain says to DROP the packet, it is killed there, but if the chain says to ACCEPT the packet, it continues traversing the diagram. The chain can say other things too like "LOG" (log this packet to syslog and continue processing), or jump to a user specified chain, or return from a user specified chain.

  1. When a packet comes in to the computer (normally from an ethernet card) the kernel first looks at the destination of the packet: this is called `routing'.
  2. If the destination is this computer, the packet passes downwards in the diagram, to the INPUT chain. If it passes this, the packet will be passed onto your computer and is has 'penetrated the firewall'. Remember, this isn't a bad thing - you want to be able to allow requests to access your web server, for example
  3. Otherwise, if the kernel does not have forwarding enabled, or it doesn't know how to forward the packet, the packet is dropped. If forwarding is enabled, and routing has decided the packet can go out on another network interface (eg an ADSL connection), then the packet goes rightwards on the diagram to the FORWARD chain. If it is ACCEPT-ed, it will be sent out.
  4. Finally, a program running on the box can send network packets. These packets pass through the OUTPUT chain immediately: if it says ACCEPT, then the packet continues out to whatever interface it is destined for.

Your own chains

For whatever reason, you can create your own chains. These are created with

$ iptables -N chain

Then, you can define some rules in your chain
$ iptables -A chain -j DROP

This tells your firewall that as part of chain 'chain', jump to the DROP target. (See targets below)

Why would you want to use a chain? Same reason you might use a function in a programming language. To do anything you might do more than once. Logging is a good example, so is defining rules for an interface that you want called on both the OUTPUT and FORWARD chains.


Once a rule matches, you then have to jump somewhere else. If not, control will just pass to the next rule.

Some good places to jump:

Automatically accept this packet and stop traversing any chains for it
Automatically drop this packet
Send back a message saying that this packet was not allowed


The world's simplest firewall and what it does

# Create a new chain which blocks new connections on the ppp0 interface,
# except if coming from inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP

# Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

When a packet comes into the machine, it will either go to INPUT or FORWARD depending on where the destination is (See above.) Then, when any other rules in the chain have completed, we will jump to the 'block' chain, executing all the rules up until we either ACCEPT or DROP the packet.

Restrict incoming SSH traffic

# set up a new chain for ssh traffic
iptables -N ssh_syn
# filter the start of incoming ssh connections (includes forwarded!)
iptables -A INPUT -p tcp --syn --dport 22 -j ssh_syn
# allow these packets from local addresses
iptables -A ssh_syn -s -j ACCEPT
iptables -A ssh_syn -s -j ACCEPT
# university of waikato
iptables -A ssh_syn -s -j ACCEPT
iptables -A ssh_syn -s -j ACCEPT
# default is to deny incoming ssh connections
iptables -A ssh_syn -j LOG
# the LOG target returns, so now either drop or reject these packets
iptables -A ssh_syn -j DROP