Netfilter and iptables: Stateful firewalling for Linux

    Date12 Oct 2001
    CategoryFirewalls
    5239
    Posted ByAnthony Pell
    ... the latest Linux kernel, version 2.4, offers a number of improvements over the 2.2 kernel that make Linux a viable alternative for corporate firewalls. Netfilter, Linux's in-kernel "packet mangling" infrastructure, and iptables, the administrative tool that manages it, represent a . . . ... the latest Linux kernel, version 2.4, offers a number of improvements over the 2.2 kernel that make Linux a viable alternative for corporate firewalls. Netfilter, Linux's in-kernel "packet mangling" infrastructure, and iptables, the administrative tool that manages it, represent a substantial improvement over ipchains, the previous option available under the 2.2 kernel. Netfilter offers a much more integrated and capable infrastructure than did ipchains, while iptables offers reasonable backwards compatibility with ipchains and ipfwadm rulesets while still offering administrators the possibility of improving firewall implementations under Linux.

    Stateless packet filters are simpler to implement, but more complicated to configure, and ultimately much less secure than packet filters that do keep state. From the perspective of stateless packet filters, every packet that arrives is a new packet (with no relationship to any packet that came before or after). Since most useful network conversations have two sides, stateless packet filters need two rules for each kind of network traffic they allow--one for the request and another for the reply.

    All network conversations using TCP/IP have a source IP address, a source port, a destination IP address and a destination port. So, to permit client computers on the internal network to browse the Web, stateless packet filters must allow outbound traffic to all computers on port 80 (the common World Wide Web port) and allow inbound traffic from port 80 to all computers on the internal network. Web requests will come from a randomly chosen, high source port on internal machines; consequently, traffic must be permitted to enter the network on all high ports.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"5","type":"x","order":"1","pct":45.45,"resources":[]},{"id":"56","title":"No","votes":"6","type":"x","order":"2","pct":54.55,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.