Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Your Iptable Is Ready: Using A Linux Firewall

In the Wild West atmosphere of the Internet, firewalls are a popular topic. That's a good thing: Whether you're responsible for hundreds of corporate servers or a single home workstation, anyone who manages a computer needs to know how firewalls work and how to deploy them properly.

A firewall controls access to a local network, locking out intruders while keeping your systems--and your data--safe on the inside. The firewall capabilities built into Linux can also restrict outgoing network access, ensuring that your corporate secrets remain secret, even against an attack from inside a local network I'll go into further detail about this later; for now, it's enough to know that you can use a Linux firewall to identify and control access to any computer with an IP address

Just The Facts: Linux Firewall Basics
The world of Linux firewall access depends on the interactions between three main players: netfilter, a subsystem in the Linux kernel that analyzes and filters IP data packets; iptables, a tool for managing and applying the rulesets that apply these packet filters; and hardware such as the eth0 device or an attached modem-*. The firewall software itself is defined as the interaction between input and output queues, transformation queues (there may be many other queues), and a rule base that further defines such interaction between queues.

It's not enough simply to attach a computer to a network connection; it also needs the right software to process arriving and outgoing data packets. A firewall controls this processing, applying pertinent rules and dictating what happens to a packet as a result. As a rule, a firewall may do three things with a packet: accept it and pass it onwards; accept it but refuse to pass it along or even respond to the sender ("dropping" the packet); or refuse to pass it while also returning a failure code/packet to the sender.

Playing By The Rules: Iptable Packet Analysis
What makes a rule pertinent to a particular packet? It all depends on whether a rule matches a packet's characteristics: its source or destination, data type, the user who owns the process that generated the packet, and a zillion other examples, most of which are rather technical and rarely used. Rules can be very specific: They may allow a packet to join the output queue, for example, only if it's targeted to a specific gateway machine, is of a particular type such as tcp or udp, came from a user named "fred", and so forth.

  • 1