| • Science | • People | • Locations | • Timeline |
The iptables command and framework are used for defining the tables and rules for firewall. Iptables allows stateful packet filtering and network address translation (NAT). Netfilter connects iptables to the kernel.
Iptables works with Linux kernels 2.4 and 2.6. Older Linux kernels use ipchains (Linux 2.2) and ipfwadm (Linux 2.0).
A workstation firewall.
# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost.localdomain localhost.localdomain ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-reply DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destinationRELATED,ESTABLISHED rule uses statefullness so that most client programs (web browser, ssh...) work.
$ lynx www.iki.fi/karvinen(A web page opens)
Computer does not respond to ping and no services are offered. Connections time out (DROP) when ports are being scanned.
$ ping -c 1 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 62.78.243.6 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0msTrying to connect to HTTP port ( TCP 80)
$ telnet 10.0.0.1 80 Trying 10.0.0.1...(Nothing happens for a long time. User quits program with ctrl-C)