Netfilter¶
links: SPA TOC - Linux Firewall - Index
Overview¶
- netfilter, iptables and nftables are components of a packet filtering framework inside the Linux Kernel
- nftables is a newer alternative to iptables
Packet filtering framework¶
- allows to:
- build packet filter firewalls
- do any kind of NAT and NAPT
- do further packet manipulation
- components:
- netfilter
- Xtables: iptables (IPv4), ip6tables (IPv6), arptables (ARP), ebtables (Ethernet bridge filtering)
- Connection Tracking Subsystem
- NAT/NAPT subsystem
- nftables
Netfilter¶
Provides a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack
Netfilter Hooks¶
Main features netfilter/iptables¶
- stateless packet filtering
- stateful packet filtering
- all kind of network address and port translation (NAT/NAPT)
- multiple layers of APIs for 3rd party extensions
Use cases netfilter/iptables¶
- build internet firewall
- use NAT and masquerading
- use NAT to implement transparent proxies
- aid the tc (traffic control) and iproute2 systems to build sophisticated QoS and policy routers
- do further packet manipulation
links: SPA TOC - Linux Firewall - Index