38.1 Packet Filtering with iptables
The components netfilter and
iptables are responsible for the filtering and
manipulation of network packets as well as for network address
translation (NAT). The filtering criteria and any actions
associated with them are
stored in chains, which must be matched one after another by individual
network packets as they arrive. The chains to match are stored in
tables. The iptables command allows you to alter
these tables and rule sets.
The Linux kernel maintains three tables, each for a particular category of
functions of the packet filter:
- filter
-
This table holds the bulk of the filter rules, because it implements the
packet filtering mechanism in the stricter sense,
which determines whether packets are let through
(ACCEPT) or discarded (DROP), for
example.
- nat
-
This table defines any changes to the source and target addresses of
packets. Using these functions also allows you to implement
masquerading, which is a special case of
NAT used to link a private network with the Internet.
- mangle
-
The rules held in this table make it possible to manipulate values stored
in IP headers (such as the type of service).
These tables contain several predefined chains to match
packets:
- PREROUTING
-
This chain is applied to incoming packets.
- INPUT
-
This chain is applied to packets destined for the system's internal
processes.
- FORWARD
-
This chain is applied to packets that are only routed through the system.
- OUTPUT
-
This chain is applied to packets originating from the system itself.
- POSTROUTING
-
This chain is applied to all outgoing packets.
Figure 38-1 illustrates the paths
along which a network packet may travel on a given system. For the sake of
simplicity, the figure lists tables as parts of chains, but in
reality these chains are held within the tables themselves.
In the simplest of all possible cases, an incoming packet destined for the
system itself arrives at the eth0 interface. The packet
is first referred to the PREROUTING chain of the
mangle table then to the
PREROUTING chain of the nat table. The
following step, concerning the routing of the packet, determines that
the actual target of the packet is a process of the system itself. After
passing the INPUT chains of the mangle
and the filter table, the packet finally reaches its
target, provided that the rules of the filter table are
actually matched.