GetWiki
iptables
ARTICLE SUBJECTS
being →
database →
ethics →
fiction →
history →
internet →
language →
linux →
logic →
method →
news →
policy →
purpose →
religion →
science →
software →
truth →
unix →
wiki →
ARTICLE TYPES
essay →
feed →
help →
system →
wiki →
ARTICLE ORIGINS
critical →
forked →
imported →
original →
iptables
please note:
- the content below is remote from Wikipedia
- it has been imported raw for GetWiki
{{Short description|Linux firewall software}}{{Use dmy dates|date=January 2021}}{{More footnotes|date=April 2015}}{{Lowercase title}}- the content below is remote from Wikipedia
- it has been imported raw for GetWiki
factoids | |
---|---|
, Linux 3.13, Section 1.2. nftables, the successor of iptables
,weblink
, 2014-01-19, 2014-01-20
, kernelnewbies.org, and was merged into the Linux kernel mainline in kernel version 3.13.
,weblink
, 2014-01-19, 2014-01-20
, kernelnewbies.org, and was merged into the Linux kernel mainline in kernel version 3.13.
Overview
iptables allows the system administrator to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by sequentially traversing the rules in chains. A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a âcallâ, i.e. the point that was jumped from is remembered.) Every network packet arriving at or leaving from the computer traverses at least one chain.350px|thumb|Packet flow paths. Packets start at a given box and will flow along a certain path, depending on the circumstances.The origin of the packet determines which chain it traverses initially. There are five predefined chains (mapping to the five available Netfilter hooks), though a table may not have all chains. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain it is returned to the chain which called it. A chain may be empty.- PREROUTING: Packets will enter this chain before a routing decision is made.
- INPUT: Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the "local-delivery" routing table: ip route show table local.
- FORWARD: All packets that have been routed and were not for local delivery will traverse this chain.
- OUTPUT: Packets sent from the machine itself will be visiting this chain.
- POSTROUTING: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
- a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of the ACCEPT or DROP, or a module returning such an ultimate fate; or
- a rule calls the RETURN verdict, in which case processing returns to the calling chain; or
- the end of the chain is reached; traversal either continues in the parent chain (as if RETURN was used), or the base chain policy, which is an ultimate fate, is used.
Userspace utilities
Front-ends
There are numerous third-party software applications for iptables that try to facilitate setting up rules. Front-ends in textual or graphical fashion allow users to click-generate simple rulesets; scripts usually refer to shell scripts (but other scripting languages are possible too) that call iptables or (the faster) iptables-restore with a set of predefined rules, or rules expanded from a template with the help of a simple configuration file. Linux distributions commonly employ the latter scheme of using templates. Such a template-based approach is practically a limited form of a rule generator, and such generators also exist in standalone fashion, for example, as PHP web pages.Such front-ends, generators and scripts are often limited by their built-in template systems and where the templates offer substitution spots for user-defined rules. Also, the generated rules are generally not optimized for the particular firewalling effect the user wishes, as doing so will likely increase the maintenance cost for the developer. Users who reasonably understand iptables and want their ruleset optimized are advised to construct their own ruleset.Other notable tools
- FireHOL â a shell script wrapping iptables with an easy-to-understand plain-text configuration file
- NuFW â an authenticating firewall extension to Netfilter
- Shorewall â a gateway/firewall configuration tool, making it possible to use easier rules and have them mapped to iptables
See also
- nftables
- NPF (firewall)
- PF (firewall)
- ipfirewall (ipfw)
- ipfilter
- XDP
- ipchains
- Uncomplicated Firewall (firewall)
References
{{Reflist}}Literature
- BOOK
, Gregor N. Purdy
, Linux iptables Pocket Reference: Firewalls, NAT & Accounting
,weblink
, 25 August 2004
, O'Reilly Media, Inc.
, 978-1-4493-7898-1,
, Linux iptables Pocket Reference: Firewalls, NAT & Accounting
,weblink
, 25 August 2004
, O'Reilly Media, Inc.
, 978-1-4493-7898-1,
External links
{{Sister project links |commons=no |b=Communication Networks/IP Tables |wikt=no |v=no |q=no |s=no}}- The netfilter/iptables project Web page
- {{Freshmeat|iptables|iptables}}
- The netfilter/iptables documentation page (outdated){{Clarify|date=November 2009}}
- Detecting and deceiving network scans{{snd}} countermeasures against nmap
- The IPTables ManPage for syntax help
- Iptables Tutorial 1.2.2 by Oskar Andreasson
- IPTABLES: The Default Linux Firewall
- Acceleration of iptables Linux Packet Filtering using GPGPU
- content above as imported from Wikipedia
- "iptables" does not exist on GetWiki (yet)
- time: 12:34am EDT - Sat, May 18 2024
- "iptables" does not exist on GetWiki (yet)
- time: 12:34am EDT - Sat, May 18 2024
[ this remote article is provided by Wikipedia ]
LATEST EDITS [ see all ]
GETWIKI 23 MAY 2022
The Illusion of Choice
Culture
Culture
GETWIKI 09 JUL 2019
Eastern Philosophy
History of Philosophy
History of Philosophy
GETWIKI 09 MAY 2016
GetMeta:About
GetWiki
GetWiki
GETWIKI 18 OCT 2015
M.R.M. Parrott
Biographies
Biographies
GETWIKI 20 AUG 2014
GetMeta:News
GetWiki
GetWiki
© 2024 M.R.M. PARROTT | ALL RIGHTS RESERVED