For firewalling, all you need to know is that a transmission is broken up (encapsulated) into a number of packets, each with a header containing information on the type of packet, it's source address and port, eventual destination address and port, and other flags.
Packet filtering (netfilter) is part of the Linux kernel. You need to ensure your kernel is compiled with CONFIG_NETFILTER enabled (and that you're running 2.3.15 onwards.) Then you'll need to make sure that CONFIG_IP_NF_IPTABLES is modular and/or compiled into the kernel.
netfilter allows you to define 'callback functions' - functions that are called every time a network packet is processed by the system. You don't have to deal with it at a low level however - there's an entire infrastructure provided called iptables.
iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (things that will cause a packet to match) and one connected action (target).
The tool that influences the kernel's filtering rules is called iptables(8). (You may have seen other documentation referencing ipchains or ipfwadm. In 2.2 series kernels you used ipchains(8), in 2.0 series kernels you used ipfwadm(8). Documents that talk of either are too old to help specifically, but the concepts will still apply. If you really have to use ipchains/ipfwadm rules, you can compile support for them into the kernel, but not alongside iptables. It's one or the other.)
Packet filtering also provides transparent proxying, masquerading (NetworkAddressTranslation), and anything else related to rewriting packets.
netfilter, iptables and the connection tracking as well as the NAT subsystems together build the whole framework.
The kernel boots up with no firewalling rules. If you manually add a rule with iptables(8), it will not be there next time you boot. You will need a firewall script that runs on boot.
A chain is a checklist of rules. Each rule says `if the packet header looks like this, then here's what to do with the packet'. If the rule doesn't match the packet, then the next rule in the chain is consulted. Finally, if there are no more rules to consult, then the kernel looks at the chain policy to decide what to do. In a security-conscious system, this policy usually tells the kernel to DROP or REJECT the packet. You can create your own chains.
A table is a collection of chains that perform a related task such as filtering, address rewriting (nat) or modifying packet charactoristics (mangle). You cannot create your own tables without modifying the kernel.
_ _ _ Incoming / \ Outgoing -->[[Routing ]--->|FORWARD|-------> [[Decision] \_ _ _/ ^ | | v _ _ _ _ / \ / \ |OUTPUT| |INPUT| \_ _ / \_ _/ ^ | | ----> Local Process ----
The three circles represent the three chains. When a packet reaches a circle in the diagram, that chain is examined to decide the fate of the packet. If the chain says to DROP the packet, it is killed there, but if the chain says to ACCEPT the packet, it continues traversing the diagram. The chain can say other things too like "LOG" (log this packet to syslog and continue processing), or jump to a user specified chain, or return from a user specified chain.
This tells your firewall that as part of chain 'chain', jump to the DROP target. (See targets below)
Why would you want to use a chain? Same reason you might use a function in a programming language. To do anything you might do more than once. Logging is a good example, so is defining rules for an interface that you want called on both the OUTPUT and FORWARD chains.
Once a rule matches, you then have to jump somewhere else. If not, control will just pass to the next rule.
Some good places to jump:
# Create a new chain which blocks new connections on the ppp0 interface, # except if coming from inside. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP # Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block
When a packet comes into the machine, it will either go to INPUT or FORWARD depending on where the destination is (See above.) Then, when any other rules in the chain have completed, we will jump to the 'block' chain, executing all the rules up until we either ACCEPT or DROP the packet.
# set up a new chain for ssh traffic iptables -N ssh_syn # filter the start of incoming ssh connections (includes forwarded!) iptables -A INPUT -p tcp --syn --dport 22 -j ssh_syn # allow these packets from local addresses iptables -A ssh_syn -s 10.0.0.0/8 -j ACCEPT iptables -A ssh_syn -s 192.168.0.0/16 -j ACCEPT # university of waikato iptables -A ssh_syn -s 126.96.36.199/16 -j ACCEPT # hoiho.wlug.org.nz iptables -A ssh_syn -s 188.8.131.52/32 -j ACCEPT # default is to deny incoming ssh connections iptables -A ssh_syn -j LOG # the LOG target returns, so now either drop or reject these packets iptables -A ssh_syn -j DROP