Included with Community Enterprise Linux are advanced tools for network packet filtering - the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. Kernel versions prior to 2.4 relied on ipchains for packet filtering and used lists of rules applied to packets at each step of the filtering process. The 2.4 kernel introduced iptables (also called netfilter), which is similar to ipchains but greatly expands the scope and control available for filtering network packets.

This chapter focuses on packet filtering basics, defines the differences between ipchains and iptables, explains various options available with iptables commands, and explains how filtering rules can be preserved between system reboots.

Refer to for instructions on how to construct iptables rules and setting up a firewall based on these rules.

The default firewall mechanism in the 2.4 and later kernels is iptables, but iptables cannot be used if ipchains is already running. If ipchains is present at boot time, the kernel issues an error and fails to start iptables.

The functionality of ipchains is not affected by these errors.

Packet Filtering

The Linux kernel uses the Netfilter facility to filter packets, allowing some of them to be received by or pass through the system while stopping others. This facility is built in to the Linux kernel, and has three built-in tables or rules lists, as follows:

Each table has a group of built-in chains, which correspond to the actions performed on the packet by netfilter.

The built-in chains for the filter table are as follows:

The built-in chains for the nat table are as follows:

The built-in chains for the mangle table are as follows:

Every network packet received by or sent from a Linux system is subject to at least one table. However, a packet may be subjected to multiple rules within each table before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address, or set of addresses, when using a particular protocol and network service.

By default, firewall rules are saved in the /etc/sysconfig/iptables or /etc/sysconfig/ip6tables files.

The iptables service starts before any DNS-related services when a Linux system is booted. This means that firewall rules can only reference numeric IP addresses (for example, Domain names (for example, host.example.com) in such rules produce errors.

Regardless of their destination, when packets match a particular rule in one of the tables, a target or action is applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE target, the packet is passed to user-space. If a rule specifies the optional REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.

Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy.

The iptables command configures these tables, as well as sets up new tables if necessary.

Differences Between IPTables and IPChains

Both ipchains and iptables use chains of rules that operate within the Linux kernel to filter packets based on matches with specified rules or rule sets. However, iptables offers a more extensible way of filtering packets, giving the administrator greater control without building undue complexity into the system.

You should be aware of the following significant differences between ipchains and iptables:

Using iptables, each filtered packet is processed using rules from only one chain rather than multiple chains.

For example, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains to continue to its destination. However, iptables only sends packets to the INPUT chain if they are destined for the local system, and only sends them to the OUTPUT chain if the local system generated the packets. It is therefore important to place the rule designed to catch a particular packet within the chain that actually handles the packet.

The DENY target has been changed to DROP.

In ipchains, packets that matched a rule in a chain could be directed to the DENY target. This target must be changed to DROP in iptables.

Order matters when placing options in a rule.

In ipchains, the order of the rule options does not matter.

The iptables command has a stricter syntax. The iptables command requires that the protocol (ICMP, TCP, or UDP) be specified before the source or destination ports.

Network interfaces must be associated with the correct chains in firewall rules.

For example, incoming interfaces (-i option) can only be used in INPUT or FORWARD chains. Similarly, outgoing interfaces (-o option) can only be used in FORWARD or OUTPUT chains.

In other words, INPUT chains and incoming interfaces work together; OUTPUT chains and outgoing interfaces work together. FORWARD chains work with both incoming and outgoing interfaces.

OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.

This is not a comprehensive list of the changes. Refer to for more specific information.

Command Options for IPTables

Rules for filtering packets are created using the iptables command. The following aspects of the packet are most often used as criteria:

Refer to and for more information about specific options that address these aspects of a packet.

The options used with specific iptables rules must be grouped logically, based on the purpose and conditions of the overall rule, for the rule to be valid. The remainder of this section explains commonly-used options for the iptables command.

Structure of IPTables Command Options

Many iptables commands have the following structure:

iptables [-t <table-name>] <command> <chain-name> \
   <parameter-1> <option-1> \
   <parameter-n> <option-n>

<table-name> - Specifies which table the rule applies to. If omitted, the filter table is used.

<command> - Specifies the action to perform, such as appending or deleting a rule.

<chain-name> - Specifies the chain to edit, create, or delete.

<parameter>-<option> pairs - Parameters and associated options that specify how to process a packet that matches the rule.

The length and complexity of an iptables command can change significantly, based on its purpose.

For example, a command to remove a rule from a chain can be very short:

iptables -D <chain-name> <line-number>

In contrast, a command that adds a rule which filters packets from a particular subnet using a variety of specific parameters and options can be rather long. When constructing iptables commands, it is important to remember that some parameters and options require further parameters and options to construct a valid rule. This can produce a cascading effect, with the further parameters requiring yet more parameters. Until every parameter and option that requires another set of options is satisfied, the rule is not valid.

Type iptables -h to view a comprehensive list of iptables command structures.

Command Options

Command options instruct iptables to perform a specific action. Only one command option is allowed per iptables command. With the exception of the help command, all commands are written in upper-case characters.

The iptables commands are as follows:

IPTables Parameter Options

Certain iptables commands, including those used to add, append, delete, insert, or replace rules within a particular chain, require various parameters to construct a packet filtering rule.

If the -i parameter is used but no interface is specified, then every interface is affected by the rule.

IPTables Match Options

Different network protocols provide specialized matching options which can be configured to match a particular packet using that protocol. However, the protocol must first be specified in the iptables command. For example, -p <protocol-name> enables options for the specified protocol. Note that you can also use the protocol ID, instead of the protocol name. Refer to the following examples, each of which have the same effect:

iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -p 5813 --icmp-type any -j ACCEPT

Service definitions are provided in the /etc/services file. For readability, it is recommended that you use the service names rather than the port numbers.

Secure the /etc/services file to prevent unauthorized editing. If this file is editable, crackers can use it to enable ports on your machine you have otherwise closed. To secure this file, type the following commands as root:

chown root.root /etc/services
chmod 0644 /etc/services
chattr +i /etc/services

This prevents the file from being renamed, deleted or having links made to it.

TCP Protocol

These match options are available for the TCP protocol (-p tcp):

To configure this option, use a network service name (such as www or smtp); a port number; or a range of port numbers.

To specify a range of port numbers, separate the two numbers with a colon (:). For example: -p tcp --dport 3000:3200. The largest acceptable valid range is 0:65535.

Use an exclamation point character (!) after the --dport option to match all packets that do not use that network service or port.

To browse the names and aliases of network services and the port numbers they use, view the /etc/services file.

The --destination-port match option is synonymous with --dport.

For example, an iptables rule that contains the following specification only matches TCP packets that have the SYN flag set and the ACK and FIN flags not set:

--tcp-flags ACK,FIN,SYN SYN

Use the exclamation point character (!) after the --tcp-flags to reverse the effect of the match option.

UDP Protocol

These match options are available for the UDP protocol (-p udp):

For the --dport and --sport options, to specify a range of port numbers, separate the two numbers with a colon (:). For example: -p tcp --dport 3000:3200. The largest acceptable valid range is 0:65535.

ICMP Protocol

The following match options are available for the Internet Control Message Protocol (ICMP) (-p icmp):

Additional Match Option Modules

Additional match options are available through modules loaded by the iptables command.

To use a match option module, load the module by name using the -m <module-name>, where <module-name> is the name of the module.

Many modules are available by default. You can also create modules to provide additional functionality.

The following is a partial list of the most commonly used modules:

When used in conjunction with the LOG target, the limit module can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources.

Refer to for more information about the LOG target.

The limit module enables the following options:

Periods can be specified in seconds, minutes, hours, or days.

If a number and time modifier are not used, the default value of 3/hour is assumed.

These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW.

Refer to the iptables man page for more match options available through modules.

Target Options

When a packet has matched a particular rule, the rule can direct the packet to a number of different targets which determine the appropriate action. Each chain has a default target, which is used if none of the rules on that chain match a packet or if none of the rules which match the packet specify a target.

The following are the standard targets:

In addition, extensions are available which allow other targets to be specified. These extensions are called target modules or match option modules and most only apply to specific tables and situations. Refer to for more information about match option modules.

Many extended target modules exist, most of which only apply to specific tables or situations. Some of the most popular target modules included by default in Community Enterprise Linux are:

Additional options can be used after the LOG target to specify the way in which logging occurs:

Other target extensions, including several that are useful for IP masquerading using the nat table, or with packet alteration using the mangle table, can be found in the iptables man page.

Listing Options

The default list command, iptables -L [<chain-name>], provides a very basic overview of the default filter table's current chains. Additional options provide more information:

The following examples illustrate the use of several of these options. Note the difference in the byte display by including the -x option.

~]# iptables -L OUTPUT -v -n -x
Chain OUTPUT (policy ACCEPT 64005 packets, 6445791 bytes)
    pkts      bytes target     prot opt in     out     source               destination
    1593   133812 ACCEPT     icmp --  *      *  
~]# iptables -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 64783 packets, 6492K bytes)
    pkts bytes target     prot opt in     out     source               destination
    1819  153K ACCEPT     icmp --  *      *  

Saving IPTables Rules

Rules created with the iptables command are stored in memory. If the system is restarted before saving the iptables rule set, all rules are lost. For netfilter rules to persist through a system reboot, they need to be saved. To save netfilter rules, type the following command as root:

service iptables save

This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.

The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

While it is always a good idea to test a new iptables rule before committing it to the /etc/sysconfig/iptables file, it is possible to copy iptables rules into this file from another system's version of this file. This provides a quick way to distribute sets of iptables rules to multiple machines.

You can also save the iptables rules to a separate file for distribution, backup or other purposes. To save your iptables rules, type the following command as root:

iptables-save > <filename>

where <filename> is a user-defined name for your ruleset.

If distributing the /etc/sysconfig/iptables file to other machines, type /sbin/service iptables restart for the new rules to take effect.

Note the difference between the iptables command (/sbin/iptables), which is used to manipulate the tables and chains that constitute the iptables functionality, and the iptables service (/sbin/iptables service), which is used to enable and disable the iptables service itself.

IPTables Control Scripts

There are two basic methods for controlling iptables in Community Enterprise Linux:

To use the same initscript commands to control netfilter for IPv6, substitute ip6tables for iptables in the /sbin/service commands listed in this section. For more information about IPv6 and netfilter, refer to .

IPTables Control Scripts Configuration File

The behavior of the iptables initscripts is controlled by the /etc/sysconfig/iptables-config configuration file. The following is a list of directives contained in this file:

IPTables and IPv6

If the iptables-ipv6 package is installed, netfilter in Community Enterprise Linux can filter the next-generation IPv6 Internet protocol. The command used to manipulate the IPv6 netfilter is ip6tables.

Most directives for this command are identical to those used for iptables, except the nat table is not yet supported. This means that it is not yet possible to perform IPv6 network address translation tasks, such as masquerading and port forwarding.

Rules for ip6tables are saved in the /etc/sysconfig/ip6tables file. Previous rules saved by the ip6tables initscripts are saved in the /etc/sysconfig/ip6tables.save file.

Configuration options for the ip6tables init script are stored in /etc/sysconfig/ip6tables-config, and the names for each directive vary slightly from their iptables counterparts.

For example, the iptables-config directive IPTABLES_MODULES:the equivalent in the ip6tables-config file is IP6TABLES_MODULES.

Additional Resources

Refer to the following sources for additional information on packet filtering with iptables.

Installed Documentation

Useful Websites

[] Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may support one type but not the other.

[] GRUB also accepts unencrypted passwords, but it is recommended that an MD5 hash be used for added security.

[] This access is still subject to the restrictions imposed by SELinux, if it is enabled.

[] A system where both the client and the server share a common key that is used to encrypt and decrypt network communication.