Understanding how Netfilter (iptables) works

As I've read a lot of articles about Netfilter, aka iptables, and most of them are confusing and hard to read, I better explain in this article the basics of this powerful wide available firewall.

Before you continue reading, be sure you understand how communications work in TCP/IP networks such as Internet or, probably, your own Intranet.

I'm not going to bore you with the history of Netfilter and where it comes from. However, it's important to notice that this firewall is integrated in the Linux kernel, so it's available broadway with no need of extra packages to be installed. In addition, it's quick and strong enough to be used in a wide variety of scenarios.

Network packets can come from, go to or pass through your firewall. Depending on the path it follows, different rules can be applied. Rulesets are named tables and tables are associated to chains. You can create your own chains, but that's not the goal of this article.

In a packet's lifetime, it passes through different chains containing rules, which may change, accept or deny the packet somehow. A policy determines what happens to a packet. There is a default policy for each chain.

The following image shows some of the basic chains and flows:

For a full description of filtering tables, please refer to this page.

Here are some examples of paths a packet could follow:

• Packets from another system to the firewall: PREROUTING and INPUT.
• Packets from the firewall to another system: OUTPUT and POSTROUTING.
• Packets from one system to another through the firewall: PREROUTING, FORWARD and POSTROUTING.

The order of the chains is always the same. For instance, PREROUTING comes always before INPUT and not the other way round.

To interact with Netfilter you can use the command line tool iptables, though it's not the only way.

Please keep in mind that any changes made will be losed after reboot. To avoid that, you can:

1. Save the tables state to a file with the command iptables-save and restore the rules from the file at startup with iptables-restore, or
2. Create a shell script with direct iptables commands to be executed at startup.

I prefer the later, for it allows you to use shell variables and to add comments to make the it more readable.

Anyway, the file created one way or the other should have reading permissions for the root only and placed in a secure directory.

When reading or executing the file at startup, it has to be done before the network interfaces are configured, for security reasons. To do so, you can place the rules or a shell script that reads them in the directory /etc/init.d/if-pre-up.d if you're working with Debian.