The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
A packet filtering firewall filters incoming and outgoing network packets based on the packet header information. You can create packet filter rules that determine whether packets are accepted or rejected. For example, if you create a rule to block a port, any request is made to that port that is blocked by the firewall, and the request is ignored. Any service that is listening on a blocked port is effectively disabled.
The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4 and IPv6 packets respectively.
Netfilter consist of two components:
A
netfilter
kernel component consisting of a set of tables in memory for the rules that the kernel uses to control network packet filtering.The iptables and ip6tables utilities to create, maintain, and display the rules that
netfilter
stores.
To implement a simple, general-purpose firewall, you can use the Firewall Configuration GUI (system-config-firewall) to create basic Netfilter rules. To create a more complex firewall configuration, use the iptables and ip6tables utilities to configure the packet filtering rules.
Netfilter records the packet filtering rules in the
/etc/sysconfig/iptables
and
/etc/sysconfig/ip6tables
files, which
netfilter
reads when it is initialized.
The netfilter
tables include:
-
Filter
The default table, which is mainly used to drop or accept packets based on their content.
-
Mangle
This table is used to alter certain fields in a packet.
-
NAT
The Network Address Translation table is used to route packets that create new connections.
The kernel uses the rules stored in these tables to make decisions about network packet filtering. Each rule consists of one or more criteria and a single action. If a criterion in a rule matches the information in a network packet header, the kernel applies the action to the packet. Examples of actions include:
-
ACCEPT
Continue processing the packet.
-
DROP
End the packet’s life without notice.
-
REJECT
As
DROP
, and additionally notify the sending system that the packet was blocked.
Rules are stored in chains, where each chain is composed of a default policy plus zero or more rules. The kernel applies each rule in a chain to a packet until a match is found. If there is no matching rule, the kernel applies the chain’s default action (policy) to the packet.
Each netfilter
table has several predefined
chains. The filter
table contains the
following chains:
-
FORWARD
Packets that are not addressed to the local system pass through this chain.
-
INPUT
Inbound packets to the local system pass through this chain.
-
OUTPUT
Locally created packets pass through this chain.
The chains are permanent and you cannot delete them. However, you can create additional chains in the filter table.
For more information, see the iptables(8)
and
ip6tables(8)
manual pages.