Iptables Concepts: Difference between revisions
| Line 2: | Line 2: | ||
* [[iptables]] | * [[iptables]] | ||
=Overview= | |||
<tt>iptables</tt> is cable of tracking a connection's state. For more details see [[iptables State Module#How_State_Machine.2FConnection_Tracking_Works|How State Machine Connection Tracking Works]]. | |||
<tt>iptables</tt> is specifically built to work on the headers of the Internet and the Transport layers. It is possible to do some very basic filtering Application and Network access layers as well, but <tt>iptables</tt> was not designed for this, nor is it very suitable for those purposes. <tt>iptables</tt> does not do string matching, because a specific string can be spread across several packets, and assembling data from different packets is too processor and memory intensive. | |||
=netfilter, iptables tool, iptables service and firewalld= | =netfilter, iptables tool, iptables service and firewalld= | ||
Revision as of 05:12, 10 January 2016
Internal
Overview
iptables is cable of tracking a connection's state. For more details see How State Machine Connection Tracking Works.
iptables is specifically built to work on the headers of the Internet and the Transport layers. It is possible to do some very basic filtering Application and Network access layers as well, but iptables was not designed for this, nor is it very suitable for those purposes. iptables does not do string matching, because a specific string can be spread across several packets, and assembling data from different packets is too processor and memory intensive.
netfilter, iptables tool, iptables service and firewalld
netfilter
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called for every packet that traverses the respective hook.
iptables
iptables is a Linux userspace command line tool that manipulates the IPv4 network packet filtering tables and rules. Packet filtering is most commonly used to implement firewalling functionality. It is also used to implement Network Address Translation (NAT). The iptables command is known to yum as "iptables". For more usage details see iptables Command Line Tool.
ip6tables
ip6tables is the equivalent command line tool that manipulates the IPv6 network packet filtering rules. For more usage details, see iptables Command Line Tool.
iptables and ip6tables Services
iptables and ip6tables services are systemd services that use the iptables tool to interact with the kernel netfilter framework. The iptables services are known to yum as "iptables-services". There are two parallel configurations for iptables and ip6tables services.
firewalld
firewalld is a firewall service daemon with D-BUS interface. More details about firewalld available here:
iptables service and firewalld
The iptables service and firewalld are incompatible, you must use one or another.
This is how fiewalld is prevented to start at boot.
Older Firewall Implementations
ipchains
ipfwadm
Network Packet Filtering
For a particular packet, only one of the INPUT, OUTPUT or FORWARD chains are used.
Packet Handing Details
iptables Packet Handling Details
iptables State Machine
Table
The default table acted upon by the iptables command is "filter". The target table can be changed with -t.