---

Home Security

ZDNet: Netfilter and iptables: Stateful firewalling for Linux

By

“Since the pace of change with Linux is so fast, Linux
has not typically been a platform of choice for firewall
implementations; while quick progress is good in many respects, it
also suggests a lack of stability. But the latest Linux kernel,
version 2.4, offers a number of improvements over the 2.2 kernel
that make Linux a viable alternative for corporate firewalls.
Netfilter, Linux’s in-kernel “packet mangling” infrastructure, and
iptables, the administrative tool that manages it, represent a
substantial improvement over ipchains , the previous option
available under the 2.2 kernel. Netfilter offers a much more
integrated and capable infrastructure than did ipchains, while
iptables offers reasonable backwards compatibility with ipchains
and ipfwadm rulesets while still offering administrators the
possibility of improving firewall implementations under Linux.

When deciding on a firewall implementation, most Unix-savvy
administrators have usually chosen to use ipfilter on OpenBSD for
their combination of capabilities and stability, as the
capabilities of Linux’s packet-filtering infrastructure did not
match that of ipfilter. In particular, previous packet filters for
Linux were not stateful (meaning that they couldn’t relate requests
for information and responses to those requests) and didn’t offer
an integrated interface for packet filtering, address translation,
or other packet manipulation. This greatly complicated writing
firewall rules and, for common cases, significantly reduced the
desired level of security that the firewall could provide.

Ipfwadm, the packet filter for the 2.0 series of the Linux
kernel, and ipchains, the packet filter for the Linux 2.2 kernel,
were relatively simple tools that did not meet the needs of most
corporate networks. They also suffered from a lack of integration;
packet filtering, support for common protocols such as RealAudio,
and masquerading–as network address translation (NAT) is called in
the Linux world) were all handled separately. All of this changed
with Netfilter and iptables.”


Complete Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.