Building a firewall with Netfilter and IPTABLES


In an increasingly networked world our computers are more vulnerable than ever to attack. New software defects are discovered every day and new exploits of these defects are increasingly being used by automated "bot-nets" to attack and compromise other machines making a good defence against such attacks more important than ever. The first line of defence against this onslaught should usually be a well configured firewall which can act as both a barrier against unwanted network traffic and a filter to ensure that the network traffic we do allow is legitimate.

This document aims to be a how-to describing the planning and implementation of a Linux firewall based on NetFilter kernel subsystem and the iptables user-land application. The filtering of TCP, UDP and ICMP packets is covered as well as simple routing and Network Address Translation using the the SNAT, DNAT and Masquerade targets. We also discuss logging filtered packets both as an aid to debugging connection related issues and as a method of monitoring for new attacks and attack vectors.