IPTables/NetFilter — Linux’s Next-Generation Stateful Packet Filter

Duncan Napier

The IPTables/NetFilter application is considered to be the fourth generation of Linux packet filtering implementations. The first generation was Alan Cox’s port of BSD UNIX’s ipfw to Linux 1.1. Jos Vos and others extended this and added the ipfwadm user tool for manipulating the rules for filtering in the Linux 2.0 kernel. Paul “Rusty” Russell and Michael Neuling made some significant modifications to the 2.2 Linux kernel, and Russell added the user tool ipchains for controlling filtering rules for this kernel. Russell has now implemented a kernel framework called NetFilter.

One of the goals of NetFilter was to provide a single, dedicated packet filter/mangler infrastructure that users and developers could deploy as an add-on built around the Linux kernel. For purposes of this article, packet filtering refers to the redirection of packets (but not modification of packet headers), while mangling refers to packet modification, typically of the source and/or destination IP address. NetFilter was designed to be modular and extensible. IPTables is a module that plugs into the NetFilter framework and allows the user access to kernel filtering/mangling rules and commands. If you are familiar with ipchains, you will notice the similarity between the syntax and format of IPTables and ipchains.

It is also worth noting that NetFilter is outside of the standard Berkeley socket interface and as a result is, at the time of writing, restricted to the Linux OS.

The official NetFilter home page is:

http://netfilter.samba.org/

and it provides the latest documentation, information, patches, and releases related to the NetFilter Project.