Linux Journal: Taming the Wild Netfilter
Aug 27, 2001, 01:05 (1 Talkback[s])
(Other stories by David A. Bandel)
WEBINAR: On-demand Event
Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >
"For those of you who have taken the plunge and
upgraded from kernel 2.2.X (or even 2.0.X) to 2.4.X,
congratulations. If, like a number of folks, you're running some
form of firewall using either ipchains or ipfwadm, your scripts may
work fine. But sooner or later you're probably going to want to
In the 2.4.X kernels, Rusty Russell, the Linux packet-filter
guru, and his crew of coders have implemented Netfilter into the
kernel. Netfilter is the replacement for ipchains or ipfwadm.
Fortunately, Netfilter permits you to keep using ipchains or
ipfwadm until you can come to grips with iptables by adding a
compatibility layer via a kernel module that permits these older
packet filters to run. But Netfilter has so many exciting new
additions, you'll want to convert those rules as soon as possible.
One word of caution, though, if you load the ipchains or ipfwadm
modules, you can't load ip_tables (and vice versa). So it's all or
nothing. After reading this article, however, making the change
should be easy.
For those new to packet filtering, ignore the ipchains
translations and use the iptables examples. While not all ipchains
commands and options will be translated to iptables, this text
should provide a good idea about how to construct a packet-filter
firewall by translating ipchains commands into iptables
The reason you'll want to upgrade to Netfilter is because it,
unlike ipchains or ipfwadm, is stateful. What this means is it can
track connections and permit incoming responses to outgoing
requests without creating gaping holes in the firewall. The
connection tracking opens a specific, temporary hole for responses
and only from the contacted server. We'll see how this works later.
The drawback is that with connection tracking in use, Netfilter
will need to use a little more memory because the connections are
tracked in RAM. So your 4MB 386-16 may no longer be up to the job,
depending on your filtering requirements."