Matt Wright Matt Wright Consulting

matt@consultmatt.co.uk

2001-11-21 v0.1 2001-11-21 mww Initial writing began. This document describes the main functions of the Netfilter Packet filter (IPTables) included in the 2.4.x series kernels. I felt the need to write this HOWTO because of, what I thought, is the poor level of documentation of implementing Packet Filtering firewalls using the 2.4.x Netfilter packet filter. The HOWTO covers using native IPTables commands (ie. not using the ipchains.o) to implement a packet-filter based firewall and the various supported types of NAT. This document is Copyright 2001 by Matt Wright. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html Send feedback to matt@consultmatt.co.uk. My name is Matt Wright. I'm 16 year-old student in Blackburn, Lancashire. I'm a freelance Linux consultant. I am the proud owner of a Duron 950Mhz (all I could easily afford) with 256MB SDRAM, Voodoo 4 Video Card, ATI All-in-Wonder Pro Video Card. I also have a 266Mhz Cyrix that runs my USB ADSL connection, of which if you are reading this from http://www.consultmatt.co.uk you will be using. You can find me at www.consultmatt.co.uk. Or at matt@consultmatt.co.uk. TODO: Insert greetz here IPtables (known as Netfilter) was written by Paul Russell and the other members of the Netfiler Project Team. It was meant as a replacement for IPChains that was implemented in the 2.2.x series kernels. It offers true 1:1 NAT capabilities, Packet filtering and connection tracking. One major upshot of this is that due to the implementation of connection tracking you can allow incoming connections by whether or not they relate to an established connection. There is still some need for helper modules for some conenction types. (FTP and IRC at the moment) You only need a couple of things to get IPTables going, these include: A 2.4.x series kernel with the Netfilter modules compiled. (I will deal with the Netfilter code as modules but feel free to compile them in and ignore the module information.) The IPTables source code, get it from The Netfilter Project This HOWTO does not cover compiling and/or installing IPTables. Usually this is pre-installed with a 2.4.x distro and if not then please consult the Netfilter website for more information.