Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
919293949596979899100
IPTables
81
2.5.9.3. Related Documentation
Red Hat Linux Firewalls, by Bill McCarty; Red Hat Press — a comprehensive reference to building
network and server firewalls using open source packet filtering technology such as Netfilter and
iptables. It includes topics that cover analyzing firewall logs, developing firewall rules, and
customizing your firewall using various graphical tools.
Linux Firewalls, by Robert Ziegler; New Riders Press — contains a wealth of information on building
firewalls using both 2.2 kernel ipchains as well as Netfilter and iptables. Additional security
topics such as remote access issues and intrusion detection systems are also covered.
2.6. IPTables
Included with Red Hat Enterprise Linux are advanced tools for network packet filtering — the process
of controlling network packets as they enter, move through, and exit the network stack within the
kernel. Kernel versions prior to 2.4 relied on ipchains for packet filtering and used lists of rules
applied to packets at each step of the filtering process. The 2.4 kernel introduced iptables (also
called netfilter), which is similar to ipchains but greatly expands the scope and control available for
filtering network packets.
This chapter focuses on packet filtering basics, explains various options available with iptables
commands, and explains how filtering rules can be preserved between system reboots.
Refer to Section 2.6.6, “Additional Resources” for instructions on how to construct iptables rules
and setting up a firewall based on these rules.
Important
The default firewall mechanism in the 2.4 and later kernels is iptables, but iptables cannot
be used if ipchains is already running. If ipchains is present at boot time, the kernel issues
an error and fails to start iptables.
The functionality of ipchains is not affected by these errors.
2.6.1. Packet Filtering
The Linux kernel uses the Netfilter facility to filter packets, allowing some of them to be received by or
pass through the system while stopping others. This facility is built in to the Linux kernel, and has three
built-in tables or rules lists, as follows:
filter — The default table for handling network packets.
nat — Used to alter packets that create a new connection and used for Network Address
Translation (NAT).
mangle — Used for specific types of packet alteration.
Each table has a group of built-in chains, which correspond to the actions performed on the packet by
netfilter.
The built-in chains for the filter table are as follows:
INPUT — Applies to network packets that are targeted for the host.
OUTPUT — Applies to locally-generated network packets.
FORWARD — Applies to network packets routed through the host.