Netfilter

The firewall implemented in Linux is called Netfilter.

Netfilter implements both a packet filter and NAT and is a statefull firewall. Statefull firewalls differentiates from non-statefull firewalls by having knowledge of the state of all connections made though the firewall. A non-statefull firewall examines packets individually, without knowledge of previous send packets and has, for example, no information about which machine instantiated the communication. This means that in order for machines behind a firewall to be able to communicate fully with machine on the Internet, almost all packets must be allowed though the firewall in both directions and thus greatly degrading the security imposed by the firewall.

As said, a statefull firewall maintains a history of established communication and defines a state for all connections. In Netfilter possible states of a connection are:

New:

This state indicates, that the packet is part of a connection that has not been registered (seen) before.

Established:

This state indicates that the packet is part of an already established communication.

Related:

This state indicates that the packet is related to an already established connection but not part hereof. This is useful for protocols that established new connections, such as passive ftp data streams and ICMP packets.

Invalid:

A packet marked invalid means that the packet is somehow malformed. Malformed packets are usually packets that does not confirm to effective RFC's.

By using these states, it is possible to create a very tight security policy with only a small set of rules.

Setting up a Linux firewall

The most common way to define a firewall, is to have a list of rules to be traversed for each packet hitting the firewall. A firewall rule consists of a set of conditions and an action. If the conditions of a rule is meet, then the action is executed on that packet. Usually the action is either to accept or reject a packet, and is therefore usually called the target of a rule. Examples of conditions on a rule is: the source address of a packet, the destination of a packet etc.

The list¹ of rules is traversed until the packet is either accepted or rejected, and processing stops. If no rules applies to the packet, the default policy of the chain determines if the packet is accepted or rejected.

In Linux, the list of rules is maintained in the Linux kernel itself, and a userspace program, iptables, is used to manage rules. As the placement of rules in the list is vital to the operation of the firewall, it can be a non-trivial job to implement complex rule-sets in Linux. For more information of iptables/Netfilter see [4,2].