Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

161

162

163

164

165

166

167

168

169

170

Chapter 13. Firewalls and iptables 169

packets. For this reason, you must be sure to place the rule designed to catch a particular packet in

the rule that will actually see the packet.

The advantage is that you now have more control over the disposition of each packet. If you are

attempting to block access to a particular website, it is now possible to block access attempts from

clients running on hosts which use your host as a gateway. An OUTPUT rule which denies access

will no longer prevent access for hosts which use your host as a gateway.

• The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a

chain could be directed to the DENY target, which silently dropped the packet. This target must be

changed to DROP in iptables to have the same effect.

• Order matters when placing options in a rule. Previously, with ipchains, it did not matter very

much how you ordered the rule options. The iptables command is a bit pickier about where some

options may go. For example, you must now specify the source or destination port after the protocol

(ICMP, TCP, or UDP) to be used in a rule.

• When specifying network interfaces to be used with a rule, you must only use incoming interfaces

(-i option) with INPUT or FORWARD chains and outgoing interfaces (-o option) with FORWARD

or OUTPUT chains. This is necessary because OUTPUT chains are no longer used by incoming

interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.

This is by no means a comprehensive list of the changes, given that iptables represents a funda-

mentally rewritten network ﬁlter. For more speciﬁc information, consult the Linux 2.4 Packet Filtering

HOWTO and the sources found in Section 13.5.

13.3. Options Used in iptables Commands

Rules that allow packets to be ﬁltered by the kernel are put in place by running the iptables com-

mand. When using the iptables command, you must specify the following options:

• Packet Type — This dictates what type of packets the command ﬁlters.

• Packet Source or Destination — This dictates what packets the command ﬁlters based on the source

or destination of the packet.

• Target — This dictates what action is taken on packets matching the above criteria.

The options used with given iptables rule must be grouped logically, based on the purpose and

conditions of the overall rule, in order for the rule to be valid.

13.3.1. Tables

A powerful aspect of iptables is that multiple tables can be used to decide the fate of a partic-

ular packet, depending upon the type of packet being monitored and what is to be done with the

packet. Thanks to the extensible nature of iptables, specialized tables can be created and stored

in the /etc/modules/

kernel-version /kernel/net/ipv4/netfilter/ directory to meet

speciﬁc goals. Think of iptables as being able to run multiple sets of ipchains rules in deﬁned

chains, with each set fulﬁlling a particular role.

The default table, named filter, contains the standard built-in INPUT, OUTPUT, and FORWARD

chains. This is somewhat similar to the standard chains in use with ipchains. However, by default,

iptables also includes two additional tables that perform speciﬁc packet ﬁltering jobs. The nat

table can be used to modify the source and destination addresses recorded in packets, and the mangle

table allows you to alter packets in specialized ways.

Each table contains default chains that perform necessary tasks based on the purpose of the table, but

you can easily set up new chains in each of the tables.