In 1998, Paul “Rusty” Russell, Marc Boucher, and other C programmers developed
ipchains was a Linux utility used to provide firewall functions. The program was actually a collection of modules designed to interface with the kernel. It’s most basic syntax was organized into five sections: table, action, chain, protocol, and rule. Today, the
ipchains utility has since be renamed iptables. It is now maintained by Pablo Neira Ayuso, Jozsef Kadlecsik, Eric Leblond, Florian Westphal, and Arturo Borrero González.
iptables table represents a different packet processing method. Although, to be succinct, they process Protocol Data Units (PDUs - not just packets). Nonetheless, there are five different ways a PDU can be processed:
Of the group,
filter is the most common module and used as the default table. The
security table is used in conjunction with other modules such as those relating to authentication, authorization, and accounting (think of Security-Enhanced Linux, or SELinux).
nat refers to redirecting PDUs based on source and destination IP addresses.
mangle offers custom options for stripping or modifying PDU header information.
Actions include appending, deleting, checking, and listing. For example, if an administrator wanted to modify the system’s firewall, they would use
-A to append and
-D to delete. If they wanted to check or list the current configuration, they would use
The word “chain” can be confusing to some folks. The most simplest way to understand this section is focusing on the direction one is aiming to configure. For example, there are two main directions (chains):
There is also a
FORWARD chain which is used to determine whether or not PDU get routed elsewhere.
iptables can filter multiple procotols such as IP, ICMP, UDP, and TCP. It can also be configured to filter “all” as well as those identified in
Lastly, one can specify rules to either
DROP PDUs. As a final example, one may execute the command sentence below to block inbound ICMP traffic.
iptables -t filter -A INPUT -p icmp -j REJECT ^ ^ ^ ^ ^ | | | | | | | | | +---rule | | | +---protocol | | +---chain | +---action +---table