Iptables Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 52: Line 52:


[[iptables Packet Handling Details]]
[[iptables Packet Handling Details]]
=iptables State Machine=
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[iptables State Module#How_State_Machine.2FConnection_Tracking_Works|How State Machine Connection Tracking Works]]
</blockquote>


=Table=
=Table=

Revision as of 05:04, 10 January 2016

Internal

netfilter, iptables tool, iptables service and firewalld

IptablesConcepts.png

netfilter

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called for every packet that traverses the respective hook.

iptables

iptables is a Linux userspace command line tool that manipulates the IPv4 network packet filtering tables and rules. Packet filtering is most commonly used to implement firewalling functionality. It is also used to implement Network Address Translation (NAT). The iptables command is known to yum as "iptables". For more usage details see iptables Command Line Tool.

ip6tables

ip6tables is the equivalent command line tool that manipulates the IPv6 network packet filtering rules. For more usage details, see iptables Command Line Tool.

iptables and ip6tables Services

iptables and ip6tables services are systemd services that use the iptables tool to interact with the kernel netfilter framework. The iptables services are known to yum as "iptables-services". There are two parallel configurations for iptables and ip6tables services.

firewalld

firewalld is a firewall service daemon with D-BUS interface. More details about firewalld available here:

firewalld

iptables service and firewalld

The iptables service and firewalld are incompatible, you must use one or another.

This is how fiewalld is prevented to start at boot.

Older Firewall Implementations

ipchains

ipfwadm

Network Packet Filtering

Iptables.png

For a particular packet, only one of the INPUT, OUTPUT or FORWARD chains are used.

Packet Handing Details

iptables Packet Handling Details

iptables State Machine

How State Machine Connection Tracking Works

Table

The default table acted upon by the iptables command is "filter". The target table can be changed with -t.

Chain

Rule

Target