10.12.1 Netfilter configuration
The netfilter/iptables project is a firewalling subsystem for Linux 2.4 and
where many network configuration issues are explained.
10.12.1.1 Basics of netfilter
Netfilter process packets use five built-in chains: PREROUTING, INPUT, FORWARD,
OUTPUT, and POSTROUTING.
IN ------> PRE ---> ------> FORWARD -----> ----> POST -----> OUT
interface ROUTING \ filter / ROUTING interface
DNAT | tracking ^ SNAT
REDIRECT | | MASQUERADE
| filter ^ filter,DNAT
\--> Local Process --/
10.12.1.2 Netfilter table
Packets are processed at each built-in chain using the following tables.
filter (packet filter, default)
INPUT (for packets coming into the box itself)
FORWARD (for packets being routed through the box)
OUTPUT (for locally generated packets).
nat (network address translation )
PREROUTING (for altering packets as soon as they come in)
OUTPUT (for altering locally generated packets before routing)
POSTROUTING (for altering packets as they are about to go out)
mangle (network address mangling, good only after 2.4.18)
10.12.1.3 Netfilter target
Firewall rules have several targets:
four basic targets:
ACCEPT means to let the packet through.
DROP means to drop the packet.
QUEUE means to pass the packet to userspace (if supported by the kernel).
RETURN means stop traversing this chain and resume at the next rule in the
previous (calling) chain.
LOG turns on kernel logging.
REJECT sends back an error packet and drops the packet.
SNAT alters the source address of the packet and is used only in the
POSTROUTING chain. (nat table only)
MASQUERADE is the same as SNAT but for dynamically assigned IP (dialup)
connections. (nat table only)
DNAT alters the destination address of the packet and is used in the PREROUTING
and OUTPUT chains, and user-defined chains which are only called from those
chains. (nat table only)
REDIRECT alters the destination IP address to send the packet to the machine
10.12.1.4 Netfilter commands
The basic commands of
iptables -N chain # create a chain
iptables -A chain \ # add rule to chain
-t table \ # use table (filter, nat, mangle)
-p protocol \ # tcp, udp, icmp, or all,
-s source-address[/mask] \
--sport port[:port] \ # source port if -p is tcp or udp
-d destination-address[/mask] \
--dport port[:port] \ # dest. port if -p is tcp or udp
-j target \ # what to do if match
-i in-interface-name \ # for INPUT, FORWARD, PREROUTING
-o out-interface-name # for FORWARD, OUTPUT, POSTROUTING
10.12.1.5 Network Address Translation
Machines on a LAN can access Internet resources through a gateway that
translates IP address on the LAN to IP addresses usable on the Internet.
# apt-get install ipmasq
Apply example rules to strengthen the
ipmasq protection. See
For Debian kernel-image-2.4 under woody, make sure to load the proper modules.
Sarge version of ipmasq fixed this issue. See Network function, Section 7.2.3 for
For Debian kernel-image-2.2, edit
/etc/masq/rules as follows to ensure a longer connection to remote
sites (good for large emails, etc.):
# tcp, tcp-fin, udp
# 2hr, 10 sec, 160 sec - default
# 1 day, 10 min, 10 min - longer example
$IPCHAINS -M -S 86400 600 600
Also, if the network is accessed through a PCMCIA NIC,
needs to be started either from
/etc/network/interfaces (read: Network configuration and PCMCIA, Section 10.8.5
Triggering network configuration, Section
10.12.1.6 Redirect SMTP connection (2.4)
Suppose you have a notebook PC which is configured to use other LAN
environments and you want to use your mail user agent on the notebook PC
without reconfiguring it.
Adding the following rules through the
iptables command to the
gateway machine will redirect the SMTP connection to the gateway machine.
# iptables -t nat -A PREROUTING -s 192.168.1.0/24 -j REDIRECT \
-p tcp --dport smtp --to-port 25 # smtp=25, INPUT is open
For a more thorough redirect rule set consider installing the
ipmasq package and adding