168
Chapter 13. Firewalls and
iptables
OUTPUT This chain applies to packets sent out via the same network interface which received
the packets.
FORWARD This chain applies to packets received on one network interface and sent out on
another.
The built in chains for the
nat
table are as follows:
PREROUTING This chain alters packets received via a network interface when they arrive.
OUTPUT This chain alters locally generated packets before they are routed via a network inter
face.
POSTROUTING This chain alters packets before they are sent out via a network interface.
The built in chains for the
mangle
table are as follows:
PREROUTING This chain alters packets received via a network interface before they are routed.
OUTPUT This chain alters locally generated packets before they are routed via a network inter
face.
Every network packet received by or sent out of a Linux system is subject to at least one table.
A packet may be checked against multiple rules within each rules list before emerging at the end of
the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet
coming from or going to a particular IP address or set of addresses when using a particular protocol
and network service.
Regardless of their destination, when packets match a particular rule on one of the tables, they are
designated for a particular target or action to be applied to them. If the rule specifies an ACCEPT
target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue
to its destination. If a rule specifies a DROP target, that packet is refused access to the system and
nothing is sent back to the host that sent the packet. If a rule specifies a REJECT target, the packet is
dropped, but an error packet is sent to the packet's originator.
Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE the packet to be passed
to user space. If none of the rules in the chain apply to the packet, then the packet is dealt with in
accordance with the default policy.
The
iptables
command allows you to configure these rule lists, as well as set up new tables to be
used for your particular situation.
13.2. Differences between
iptables
and
ipchains
At first glance,
ipchains
and
iptables
appear to be quite similar. Both methods of packet filtering
use chains of rules operating within the Linux kernel to decide not only which packets to let in or
out, but also what to do with packets that match certain rules. However,
iptables
offers a much
more extensible way of filtering packets, giving the administrator a greater amount of control without
building too much complexity into the entire system.
Specifically, users comfortable with
ipchains
should be aware of the following significant differ
ences between
ipchains
and
iptables
before attempting to use
iptables
:
Under
iptables
, each filtered packet is processed using rules from only one chain rather than
multiple chains. For instance, a FORWARD packet coming into a system using
ipchains
would
have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to its
destination. However,
iptables
only sends packets to the INPUT chain if they are destined for
the local system and only sends them to the OUTPUT chain if the local system generated the
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved