iptablesIncluded with Red Hat Enterprise Linux are advanced tools for network packet filtering — theprocess of controlling network packets as they enter, move through, and exit the network stackwithin the kernel. Kernel versions prior to 2.4 relied on ipchains for packet filtering and usedlists of rules applied to packets at each step of the filtering process. The introduction of the 2.4kernel brought with it iptables (also called netfilter), which is similar to ipchains but greatlyexpands the scope and control available for filtering network packets.This chapter focuses on packet filtering basics, defines the differences between ipchains andiptables, explains various options available with iptables commands, and explains howfiltering rules can be preserved between system reboots.For instructions on constructing iptables rules or setting up a firewall based on these rules,refer to Section 7, “Additional Resources”.WarningThe default firewall mechanism under the 2.4 and newer kernels is iptables,but iptables cannot be used if ipchains are already running. If ipchains ispresent at boot time, the kernel issues an error and fails to start iptables.The functionality of ipchains is not affected by these errors.1. Packet FilteringThe Linux kernel has the built-in ability to filter packets, allowing some of them to be received byor pass through the system while stopping others. The kernel's netfilter has three built-in tablesor rules lists. They are as follows:• filter — The default table for handling network packets.• nat — Used to alter packets that create a new connection and used for Network AddressTranslation (NAT).• mangle — Used for specific types of packet alteration.TipIn addition to these built in tables, specialized tables can be created and storedin the /lib/modules//kernel/net/ipv4/netfilter/directory (where corresponds to the version kernel number).Chapter 18.327
