iptables is the name of the user space tool by which administrators create rules for the packet filtering (both inbound and outbound) and NAT modules. While technically iptables is merely the tool which controls the packet filtering and NAT rules within the kernel, the name iptables is often used to refer to the entire firewalling infrastructure, including the kernel-level Xtables (sub)framework that provides the API for match and target modules and the actual firewall table traversal for IPv4, IPv6 and ARP. iptables is a standard component of all modern Linux distributions.
conntrack is the name for the tool that allows manual manipulation of connection tracking and NAT entries.
Prior to iptables, the predominant software packages for creating Linux firewalls were ipchains in Linux 2.2 and ipfwadm in Linux 2.0, which in turn was based on BSD's ipfw. Both ipchains and ipfwadm alter the networking code so they could manipulate packets, as there was no general packet-control framework until Netfilter. iptables preserves the basic ideas introduced into Linux with ipfwadm: lists of rules which each specified what to match within a packet, and what to do with such a packet. ipchains added the concept of chains of rules, and iptables extended this further into tables: one table was consulted when deciding whether to NAT a packet, and another consulted when deciding how to filter a packet. In addition, the three points at which filtering is done in a packet's journey were altered, so any packet only passes through one filtering point.
Whereas ipchains and ipfwadm combine packet filtering and NAT (particularly three specific kinds of NAT, called masquerading, port forwarding and redirection), Netfilter makes it possible to separate packet operations into three parts: packet filtering, connection tracking, and Network Address Translation. Each part connects to the Netfilter hooks at different points to access packets. The connection tracking and NAT subsystems are more general and more powerful than the stunted versions within ipchains and ipfwadm.
This split allowed iptables, in turn, to use the information which the connection tracking layer had determined about a packet: this information was previously tied to NAT. This makes iptables superior to ipchains because it has the ability to monitor the state of a connection and redirect, modify or stop data packets based on the state of the connection, not just on the source, destination or data content of the packet. A firewall using iptables this way is said to be a stateful firewall versus ipchains, which can only create a stateless firewall (except in very limited cases). It can be said that ipchains is not aware of the full context from which a data packet arises, whereas iptables is, and therefore iptables can make better decisions on the fate of packets and connections.
iptables, the NAT subsystem and the connection tracking subsystem are also extensible, and many extensions are included in the base iptables package, such as the iptables extension which allows querying of the connection state mentioned above. Additional extensions are distributed alongside the iptables utility, as patches to the kernel source code, along with a patch tool called patch-o-matic.
A version of iptables for IPv6 was written, called ip6tables after the name of the administration tool.
Connection tracking classifies each packet as being in a number of different states: new (trying to create a new connection), established (part of an already-existing connection), related (packet initiating a new connection that is related to, but not actually part of an existing connection), invalid (not part of an existing connection) and untracked. A normal example would be that the first packet the conntrack subsystem sees will be classified new, the reply would be classified established and an ICMP error would be related. An ICMP error packet which did not match any known connection would be invalid. untracked is a special state that can be assigned by the administrator to bypass connection tracking for a particular packet.
The connection state is completely independent of any TCP state. If the host answers with a SYN ACK packet to acknowledge a new incoming TCP connection, the TCP connection itself is not yet established but the tracked connection is — this packet will match the “established” state.
A tracked connection of a stateless protocol like UDP nevertheless has a connection state.
Furthermore, through the use of plugin modules, connection tracking can be given knowledge of application layer protocols and thus understand that two or more distinct connections are "related". For example, consider the FTP protocol. A control connection is established, but whenever data is transferred, a separate connection is established to transfer it. When the
nf_conntrack_ftp module is loaded, the first packet of an FTP data connection will be classified as “related” instead of “new”, as it is logically part of an existing connection.
iptables can use the connection tracking information to make packet filtering rules more powerful and easier to manage. The "conntrack" match extension allows iptables rules to examine the connection tracking classification for a packet. For example, one rule might allow NEW packets only from inside the firewall to outside, but allow RELATED and ESTABLISHED in either direction. This allows normal reply packets from the outside (ESTABLISHED), but does not allow new connections to come from the outside to the inside. However, if an FTP data connection needs to come from outside the firewall to the inside, it will be allowed, because the packet will be correctly classified as RELATED to the FTP control connection, rather than a NEW connection.
The Netfilter group also has a patch-o-matic(-ng) (short: POM(-ng); ng = "next generation") subproject, with which experimental features get tested and possibly later included into the mainline kernel and iptables releases. Extensions add new modules, and a script will patch the iptables and kernel sources accordingly. To get the new extensions running, both components need to be recompiled after patching, and the machine needs to start the new kernel.
In January 2008, Xtables-addons was introduced as an alternative to patch-o-matic and allows compilation and execution of most modules without any patching or reboot. However, this project is not supported by the Netfilter project itself.
Any entry in one set can be bound to another set, allowing for sophisticated matching operations.
ipset supports the following set types:
A set can only be removed (destroyed) if there are no iptables rules or other sets referring to it.
Munich Court Defends GPL.(Sitecom Germany GmbH forbidden to distribute a wireless access router, model WL-122, unless it conforms to the GNU General Public License)
Apr 19, 2004; A Munich district court has hit Sitecom Germany GmbH with a preliminary injunction forbidding it to distribute a wireless access...