Linux Today: Linux News On Internet Time.

ZDNet: Netfilter and iptables: Stateful firewalling for Linux

Oct 13, 2001, 22:09 (7 Talkback[s])
(Other stories by Todd Underwood)
"Since the pace of change with Linux is so fast, Linux has not typically been a platform of choice for firewall implementations; while quick progress is good in many respects, it also suggests a lack of stability. But the latest Linux kernel, version 2.4, offers a number of improvements over the 2.2 kernel that make Linux a viable alternative for corporate firewalls. Netfilter, Linux's in-kernel "packet mangling" infrastructure, and iptables, the administrative tool that manages it, represent a substantial improvement over ipchains , the previous option available under the 2.2 kernel. Netfilter offers a much more integrated and capable infrastructure than did ipchains, while iptables offers reasonable backwards compatibility with ipchains and ipfwadm rulesets while still offering administrators the possibility of improving firewall implementations under Linux.

When deciding on a firewall implementation, most Unix-savvy administrators have usually chosen to use ipfilter on OpenBSD for their combination of capabilities and stability, as the capabilities of Linux's packet-filtering infrastructure did not match that of ipfilter. In particular, previous packet filters for Linux were not stateful (meaning that they couldn't relate requests for information and responses to those requests) and didn't offer an integrated interface for packet filtering, address translation, or other packet manipulation. This greatly complicated writing firewall rules and, for common cases, significantly reduced the desired level of security that the firewall could provide.

Ipfwadm, the packet filter for the 2.0 series of the Linux kernel, and ipchains, the packet filter for the Linux 2.2 kernel, were relatively simple tools that did not meet the needs of most corporate networks. They also suffered from a lack of integration; packet filtering, support for common protocols such as RealAudio, and masquerading--as network address translation (NAT) is called in the Linux world) were all handled separately. All of this changed with Netfilter and iptables."

Complete Story

Related Stories: