Building Firewalls with iptables, Part 1
Exposing any system, no matter how briefly, to an untrusted network is suicidal. A firewall is absolutely vital, and fortunately, the Linux world offers us an excellent free firewall utility in netfilter/iptables.
Exposing any system, no matter how briefly, to an untrusted network is suicidal. A firewall, while not a 100% secure solution, is absolutely vital. The Linux world gives us an excellent firewall utility in netfilter/iptables. It is free and runs nicely on feeble old PCs. Netfilter/iptables is flexible, powerful, and enables fine-grained control of incoming and outgoing traffic. The two main functions this series will address are building firewalls and sharing Internet connections, which commonly go hand-in-hand. In Part 1 we'll cover basic concepts; Part 2 will offer examples of rulesets for various uses.
Netfilter/iptables is included with the 2.4/2.5 Linux kernel for firewall, network address translation (NAT), and packet mangling functions. Netfilter works inside the kernel, while iptables is the table structure for the user-defined rulesets. Netfilter/iptables is the descendant of our old friends ipchains and ipwadfm (IP firewall administration); for simplicity, let's call it iptables from this point forward.
Some other excellent uses for iptables are for building firewalls for individual Unix/Linux/BSD workstations and also for building firewalls for subnets to protect other platforms. It's free, so why not construct layers of defenses? Depending solely on a gateway firewall is not enough.
iptables reads only packet headers, and as a result does not inspect payload. It also does not perform authentication. For extra security, combine it with a proxy server such as squid. For Windows users, AnalogX is a popular proxy server noted for its ease of use. (Beware that the default configuration is completely insecure. Do not "set it and forget it," as it installs wide open.)
What It Does
The typical setup is to have two network interfaces -- one "outward" and one "inward" (or call them public and private). iptables reads incoming (and outgoing -- don't forget egress filtering!) packet headers and compares them to the rulesets, then forwards the acceptable packets from one interface to the other. Rejected packets are dropped on the spot -- boom splat -- or are directed in other ways, as you prefer.
Packets must traverse tables and chains. iptables has three built-in tables: filter, NAT, and mangle. (The mangle table is for specialized packet alterations, which we will not cover in this series.) Chains are the lists of rules in each table that match packets and then tell what to do with them. Target is any rule that applies to a matching packet. You'll see these terms a lot.
Unlike ipchains and ipfwadm, iptables uses stateful packet inspection. iptables inspects the source and destination IP addresses, the source and destination ports, and the sequence numbers of incoming packets. In a sense, iptables "remembers" which packets are already permitted on an existing connection. This provides a significant gain in security -- ephemeral ports are open only for as long as they are needed, as opposed to requiring all manner of permanent holes in the firewall to accomodate the various protocols. Malicious packets with altered headers are detected and dropped, even when they contain an allowed destination address and port.