To run the pure basics of iptables you need to configure
the following options into the kernel while doing make
config or one of its related commands:
CONFIG_PACKET - This option allows
applications and utilities that need to work directly with various network
devices. Examples of such utilities are tcpdump or snort.
CONFIG_PACKET is strictly speaking not needed for iptables to work, but
since it contains so many uses, I have chosen to include it here. If you do
not want it, don't include it.
CONFIG_NETFILTER - This option is required if
you're going to use your computer as a firewall or gateway to the Internet. In
other words, this is most definitely required for anything in this tutorial
to work at all. I assume you will want this, since you are reading this.
And of course you need to add the proper drivers for your
interfaces to work properly, i.e. Ethernet adapter,
PPP and SLIP interfaces.
The above will only add some of the pure basics in iptables. You won't be
able to do anything productive to be honest, it just adds the framework to
the kernel. If you want to use the more advanced options in Iptables, you
need to set up the proper configuration options in your kernel. Here we
will show you the options available in a basic 2.4.9 kernel and a brief
CONFIG_IP_NF_CONNTRACK - This
module is needed to make connection tracking. Connection tracking is used
by, among other things, NAT and
Masquerading. If you need to firewall machines on
a LAN you most definitely should mark this
option. For example, this module is required by the rc.firewall.txt script to
CONFIG_IP_NF_FTP - This module
is required if you want to do connection tracking on
FTP connections. Since
FTP connections are quite hard to do connection
tracking on in normal cases, conntrack needs a so called helper; this
option compiles the helper. If you do not add this module you won't be
able to FTP through a firewall or gateway properly.
CONFIG_IP_NF_IPTABLES - This
option is required if you want do any kind of filtering,
masquerading or NAT. It
adds the whole iptables identification framework to the kernel. Without
this you won't be able to do anything at all with iptables.
CONFIG_IP_NF_MATCH_LIMIT - This
module isn't exactly required but it's used in the example rc.firewall.txt. This option
provides the LIMIT match, that adds the possibility to control how many
packets per minute that are to be matched, governed by an appropriate
rule. For example, -m limit --limit 3/minute would
match a maximum of 3 packets per minute. This module can also be used to
avoid certain Denial of Service attacks.
CONFIG_IP_NF_MATCH_MAC - This
allows us to match packets based on MAC
addresses. Every Ethernet adapter has its own MAC
address. We could for instance block packets based on what
MAC address is used and block a certain computer
pretty well since the MAC address very seldom
changes. We don't use this option in the rc.firewall.txt example or anywhere else.
CONFIG_IP_NF_MATCH_MARK - This allows us to
use a MARK match. For example, if we use the target
MARK we could mark a packet and then depending on if this
packet is marked further on in the table, we can match based on this mark. This
option is the actual match MARK, and further down we will
describe the actual target MARK.
CONFIG_IP_NF_MATCH_MULTIPORT - This module
allows us to match packets with a whole range of destination ports or source
ports. Normally this wouldn't be possible, but with this match it is.
CONFIG_IP_NF_MATCH_TOS - With this match we
can match packets based on their TOS field.
TOS stands for Type Of Service.
TOS can also be set by certain rules in the
mangle table and via the ip/tc commands.
This option adds the possibility for us to match
TCP packets based on their
CONFIG_IP_NF_MATCH_STATE - This
is one of the biggest news in comparison to ipchains.
With this module we can do stateful matching on packets. For example, if
we have already seen traffic in two directions in a
TCP connection, this packet will be counted as
ESTABLISHED. This module is used extensively in the
This module will add the possibility for us to match
UDP and ICMP packets
that don't conform to type or are invalid. We could for example drop these
packets, but we never know if they are legitimate or not. Note that this
match is still experimental and might not work perfectly in all cases.
CONFIG_IP_NF_MATCH_OWNER - This option will
add the possibility for us to do matching based on the owner of a socket. For
example, we can allow only the user root to have Internet access. This module
was originally just written as an example on what could be done with the new
iptables. Note that this match is still experimental and
might not work for everyone.
CONFIG_IP_NF_FILTER - This
module will add the basic filter table which will
enable you to do IP filtering at all. In the
filter table you'll find the
INPUT, FORWARD and
OUTPUT chains. This module is required if you
plan to do any kind of filtering on packets that you receive and send.
This target allows us to specify that an ICMP
error message should be sent in reply to incoming packets, instead of
plainly dropping them dead to the floor. Keep in mind that
TCP connections, as opposed to
ICMP and UDP, are always
reset or refused with a TCP RST packet.
This allows packets to be bounced back to the sender of the packet. For
example, if we set up a MIRROR target on
destination port HTTP on our
INPUT chain and someone tries to access this
port, we would bounce his packets back to him and finally he would
probably see his own homepage.
The MIRROR target is not to be used
lightly. It was originally built as a test and example module, and will most
probably be very dangerous to the person setting it up (resulting in serious
DDoS if among other things).
CONFIG_IP_NF_NAT - This module
allows network address translation, or
NAT, in its different forms. This option gives us
access to the nat table in iptables. This option is required if we want to
do port forwarding, masquerading, etc. Note that this option is not
required for firewalling and masquerading of a
LAN, but you should have it present unless you
are able to provide unique IP addresses for all hosts. Hence, this option
is required for the example rc.firewall.txt script to work properly, and most
definitely on your network if you do not have the ability to add unique IP
addresses as specified above.
- This module adds the MASQUERADE target. For instance
if we don't know what IP we have to the Internet this would be the
preferred way of getting the IP instead of using
DNAT or SNAT. In other
words, if we use DHCP,
PPP, SLIP or some other
connection that assigns us an IP, we need to use this target instead of
SNAT. Masquerading gives a slightly higher load
on the computer than NAT, but will work without
us knowing the IP address in advance.
This target is useful together with application
proxies, for example. Instead of letting a packet pass right
through, we remap them to go to our local box instead. In other words, we
have the possibility to make a transparent proxy
CONFIG_IP_NF_TARGET_LOG - This
adds the LOG target and its functionality to
iptables. We can use this module to log certain packets
to syslogd and hence see what is happening to the packet. This is
invaluable for security audits, forensics or debugging a script you are
This option can be used to counter Internet Service Providers and servers
who block ICMP Fragmentation Needed packets. This
can result in web-pages not getting through, small mails getting through
while larger mails don't, ssh works but scp dies after handshake, etc. We
can then use the TCPMSS target to overcome this
by clamping our MSS (Maximum Segment Size) to the
PMTU (Path Maximum Transmit Unit). This way,
we'll be able to handle what the authors of Netfilter themselves call
"criminally brain-dead ISPs or servers" in the kernel configuration help.
Adds a compatibility mode with the obsolescent
ipchains. Do not look to this as any real long term
solution for solving migration from Linux 2.2 kernels to 2.4 kernels,
since it may well be gone with kernel 2.6.
Compatibility mode with obsolescent ipfwadm. Definitely
don't look to this as a real long term solution.
As you can see, there is a heap of options. I have briefly
explained here what kind of extra behaviors you can expect from each
module. These are only the options available in a vanilla Linux 2.4.9
kernel. If you would like to take a look at more options, I suggest you
look at the patch-o-matic (POM) functions in
Netfilter user-land which will add heaps of other
options in the kernel. POM fixes are additions
that are supposed to be added in the kernel in the future but have not
quite reached the kernel yet. These functions should be added in the
future, but have not quite made it in yet. This may be for various reasons
- such as the patch not being stable yet, to Linus Torvalds being unable
to keep up, or not wanting to let the patch in to the mainstream kernel
yet since it is still experimental.
You will need the following options compiled into your kernel,
or as modules, for the rc.firewall.txt script to work. If you need help
with the options that the other scripts need, look at the example firewall
At the very least the above will be required for the rc.firewall.txt script. In
the other example scripts I will explain what requirements they have in
their respective sections. For now, let's try to stay focused on the main
script which you should be studying now.