25.3 About Packet-filtering Firewalls

Note

The iptables and system-config-firewall packages provide the components of the packet-filtering firewall and the accompanying utilities.

A packet filtering firewall filters incoming and outgoing network packets based on the packet header information. You can create packet filter rules that determine whether packets are accepted or rejected. For example, if you create a rule to block a port, any request is made to that port that is blocked by the firewall, and the request is ignored. Any service that is listening on a blocked port is effectively disabled.

The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4 and IPv6 packets respectively.

Netfilter consists of two components:

  • A netfilter kernel component consisting of a set of tables in memory for the rules that the kernel uses to control network packet filtering.

  • The iptables and ip6tables utilities to create, maintain, and display the rules that netfilter stores.

To implement a simple, general-purpose firewall, you can use the Firewall Configuration GUI (system-config-firewall) to create basic Netfilter rules.

Figure 25.1 shows the Firewall Configuration GUI.

Figure 25.1 Firewall Configuration

The figure shows the Firewall Configuration GUI.


To create a more complex firewall configuration, use the iptables and ip6tables utilities to configure the packet filtering rules.

Netfilter records the packet filtering rules in the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files, which netfilter reads when it is initialized.

The netfilter tables include:

Filter

The default table, which is mainly used to drop or accept packets based on their content.

Mangle

This table is used to alter certain fields in a packet.

NAT

The Network Address Translation table is used to route packets that create new connections.

The kernel uses the rules stored in these tables to make decisions about network packet filtering. Each rule consists of one or more criteria and a single action. If a criterion in a rule matches the information in a network packet header, the kernel applies the action to the packet. Examples of actions include:

ACCEPT

Continue processing the packet.

DROP

End the packet’s life without notice.

REJECT

As DROP, and additionally notify the sending system that the packet was blocked.

Rules are stored in chains, where each chain is composed of a default policy plus zero or more rules. The kernel applies each rule in a chain to a packet until a match is found. If there is no matching rule, the kernel applies the chain’s default action (policy) to the packet.

Each netfilter table has several predefined chains. The filter table contains the following chains:

FORWARD

Packets that are not addressed to the local system pass through this chain.

INPUT

Inbound packets to the local system pass through this chain.

OUTPUT

Locally created packets pass through this chain.

The chains are permanent and you cannot delete them. However, you can create additional chains in the filter table.

For more information, see the iptables(8) and ip6tables(8) manual pages.