"Since the pace of change with Linux is so fast, Linux
has not typically been a platform of choice for firewall
implementations; while quick progress is good in many respects, it
also suggests a lack of stability. But the latest Linux kernel,
version 2.4, offers a number of improvements over the 2.2 kernel
that make Linux a viable alternative for corporate firewalls.
Netfilter, Linux's in-kernel "packet mangling" infrastructure, and
iptables, the administrative tool that manages it, represent a
substantial improvement over ipchains , the previous option
available under the 2.2 kernel. Netfilter offers a much more
integrated and capable infrastructure than did ipchains, while
iptables offers reasonable backwards compatibility with ipchains
and ipfwadm rulesets while still offering administrators the
possibility of improving firewall implementations under Linux.
When deciding on a firewall implementation, most Unix-savvy
administrators have usually chosen to use ipfilter on OpenBSD for
their combination of capabilities and stability, as the
capabilities of Linux's packet-filtering infrastructure did not
match that of ipfilter. In particular, previous packet filters for
Linux were not stateful (meaning that they couldn't relate requests
for information and responses to those requests) and didn't offer
an integrated interface for packet filtering, address translation,
or other packet manipulation. This greatly complicated writing
firewall rules and, for common cases, significantly reduced the
desired level of security that the firewall could provide.
Ipfwadm, the packet filter for the 2.0 series of the Linux
kernel, and ipchains, the packet filter for the Linux 2.2 kernel,
were relatively simple tools that did not meet the needs of most
corporate networks. They also suffered from a lack of integration;
packet filtering, support for common protocols such as RealAudio,
and masquerading--as network address translation (NAT) is called in
the Linux world) were all handled separately. All of this changed
with Netfilter and iptables."