SysAdmin: IPTables/NetFilter – Linux’s Next-Generation Stateful Packet Filter

“The IPTables/NetFilter application is considered to be
the fourth generation of Linux packet filtering implementations.
The first generation was Alan Cox’s port of BSD UNIX’s ipfw to
Linux 1.1. Jos Vos and others extended this and added the ipfwadm
user tool for manipulating the rules for filtering in the Linux 2.0
kernel. Paul “Rusty” Russell and Michael Neuling made some
significant modifications to the 2.2 Linux kernel, and Russell
added the user tool ipchains for controlling filtering rules for
this kernel. Russell has now implemented a kernel framework called

One of the goals of NetFilter was to provide a single, dedicated
packet filter/mangler infrastructure that users and developers
could deploy as an add-on built around the Linux kernel. For
purposes of this article, packet filtering refers to the
redirection of packets (but not modification of packet headers),
while mangling refers to packet modification, typically of the
source and/or destination IP address. NetFilter was designed to be
modular and extensible. IPTables is a module that plugs into the
NetFilter framework and allows the user access to kernel
filtering/mangling rules and commands. If you are familiar with
ipchains, you will notice the similarity between the syntax and
format of IPTables and ipchains.

It is also worth noting that NetFilter is outside of the
standard Berkeley socket interface and as a result is, at the time
of writing, restricted to the Linux OS.”


Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis