Building a firewall with Netfilter and IPTABLES

Abstract

In an increasingly networked world our computers are more vulnerable than ever to attack. New software defects are discovered every day and new exploits of these defects are increasingly being used by automated "bot-nets" to attack and compromise other machines making a good defence against such attacks more important than ever. The first line of defence against this onslaught should usually be a well configured firewall which can act as both a barrier against unwanted network traffic and a filter to ensure that the network traffic we do allow is legitimate.

This document aims to be a how-to describing the planning and implementation of a Linux firewall based on NetFilter kernel subsystem and the iptables user-land application. The filtering of TCP, UDP and ICMP packets is covered as well as simple routing and Network Address Translation using the the SNAT, DNAT and Masquerade targets. We also discuss logging filtered packets both as an aid to debugging connection related issues and as a method of monitoring for new attacks and attack vectors.

Contents

• Preparing the ground
  • Introduction
    • What is a firewall?
    • Why do I need a firewall?
    • Types of firewall
    • What is iptables?
  • Configuring kernel options and installing packages
    • Configuring networking options
    • Configuring core Netfilter options
    • Configuring IP Netfilter options
    • Building and installing the kernel
    • Installing the userspace tools
• Beginning Netfilter / iptables
  • How the Netfilter system works
    • Tables, chains, rules, targets and policies
    • Built-in tables and chains
  • Basic packet filtering
    • Getting started
    • Logging Netfilter activity
    • Filtering invalid packets
    • Putting it all together
  • Extending the packet filter
    • Output filtering
    • More infrastructure
    • Simple services
    • Complex services
  • Beyond TCP
    • UDP based protocols
    • ICMP messages
    • The loopback interface
    • Broadcast packets
    • Finishing up
• Intermediate Netfilter / iptables
  • Rate limiting
    • Why limit?
    • What to limit by?
    • Simple rate limiting
    • Connection limiting
    • Per address / port rate limiting
    • Complex limiting
  • Multi-homed hosts
    • Filtering by interface
    • Filtering during routing
  • Network Address Translation (NAT)
    • What is NAT?
    • Destination network address translation (DNAT)
    • Source network address translation (SNAT)
    • Masquerading (SNAT for DHCP)
• Advanced Netfilter / iptables
  • IPtables extensions
    • Obtaining and installing the extensions
    • Selecting the extensions
    • Rebuilding iptables and the kernel