Chapter 7. Packet Filtering

Table of Contents

7.1. Rationale for and Introduction to Packet Filtering
7.1.1. History of Linux Packet Filter Support
7.1.2. Limits of the Usefulness of Packet Filtering
7.2. Weaknesses of Packet Filtering
7.2.1. Complex Network Layer Stateless Packet Filters
7.3. General Packet Filter Requirements
7.4. The Netfilter Architecture
7.4.1. Packet Filtering with iptables
7.5. Packet Filtering with ipchains
7.5.1. Packet Mangling with ipchains
7.6. Protecting a Host
7.7. Protecting a Network
7.8. Further Resources

It is not an uncommon story today to hear how people were first exposed to linux. Many people found linux an excellent and reliable masquerading firewall in the mid-1990s and slowly became more and more accustomed to working with linux as a result of the low total cost of ownership.

The capabilities of packet filtering tools available under linux today dwarfs that of early linux (ipfwadm, anybody?) yet retains the reliability and expressive flexibility of the older tools.

For networks and machines directly connected to the Internet, packet filtering is no longer an option, but a need. This chapter will introduce the packet filtering tools available under kernels 2.2 and 2.4. Since there is much available documentation on packet filtering, host protection and masquerading with a packet filter, this chapter will refer liberally to external resources.

This chapter begins with an introduction to and the history of packet filtering with linux. After covering some of the weaknesses of packet filtering, it will cover the netfilter architecture, and then delve into using iptables. An introduction to the use of ipchains will follow along with introductions to host and network protection. The chapter will close with an overview of further resources.