LXF14 MAY 2001
hen Linux 2.4 was released, most people focused
on what it would do to help the average Linux user
and talked about the USB support, firewire,
PCMCIA and DRI. While these are great additions
to the kernel for the majority of people, often one of the major
improvements over 2.2 was overlooked, even though it applies
almost as much to Joe (and of course Jane) User as it does to a
hardened network engineer. This is, of course, the inclusion of the
‘netfilter’ system into the kernel, which provides packet filtering
and other more advanced IP features. Along with ‘netfilter’ comes
‘iptables’, which is the 2.4 equivalent of ipchains, and provides a
user-space interface to the filtering, Network Address Translation
(NAT) and mangling modules.
We’re going to look at building 2.4 with support for netfilter
and iptables, then building a production level router out of it. For
those of you who just have one machine, and use it to connect to
the Internet, then many of the same rules apply. The Internet is
one giant, generally unrestricted, network which any reasonable
person would have reservations about putting any sort of
machine on, never mind their own Linux system.
Netfilter or iptables?
Often when referring to the firewalling code in 2.4, it will blindly
be referred to as ‘netfilter’ or ‘iptables’, without any justification for
using the specific name for it and, given that they are both very
different, it’s worth understanding exactly what each of them do
and how we should view the organisation of the firewalling code
in the kernel.
Netfilter is the system compiled into the kernel which
provides hooks into the IP stack which loadable modules (iptables
is one) can use to perform operations on packets. As netfilter
uses modules for the filtering, you can use an ipchains module to
provide exactly the same capabilities as the kernel level ipchains
code in 2.2, or even the module for ipfwadm from 2.0. Netfilter is
there all of the time, as long as it is compiled in, whether or not
you are using any firewalling modules at all.
IPTables is split into two parts; The user-space tools and the
kernel-space modules. The kernel-space modules are distributed
with the main kernel, and you compile them as you would any
other module, be it sound drivers, a filesystem or USB support.
There is the main ip_tables module, as well as modules
specifically for NAT, logging, connection tracking and so on. These
modules perform the appropriate function on the packets which
they get sent by netfilter, depending on the rules which they have
in their rule-list, or chain.
The user-space iptables code comes in the form of a binary
called ‘iptables’, which is distributed separately from the main
kernel tree, and is used to add, remove or edit rules for the
modules. This is comparable to the ipchains binary in 2.2. Often,
when referring to iptables, it is assumed to mean the iptables