Previous Section
 < Day Day Up > 
Next Section


Firewalls: iptables and NAT

A good foundation for your network's security is to set up a Linux system to operate as a firewall for your network, protecting it from unauthorized access. You can use a firewall to implement either packet filtering or proxies. Packet filtering is simply the process of deciding whether a packet received by the firewall host should be passed on into the local network. The packet-filtering software checks the source and destination addresses of the packet and sends the packet on, if it's allowed. Even if your system is not part of a network but connects directly to the Internet, you can still use the firewall feature to control access to your system. Of course, this also provides you with much more security.

With proxies, you can control access to specific services, such as Web or FTP servers. You need a proxy for each service you want to control. The Web server has its own Web proxy, while an FTP server has an FTP proxy. Proxies can also be used to cache commonly used data, such as Web pages, so that users needn't constantly access the originating site. The proxy software commonly used on Linux systems is Squid, discussed in Chapter 23.

An additional task performed by firewalls is network address translation (NAT). Network address translation redirects packets to appropriate destinations. It performs tasks such as redirecting packets to certain hosts, forwarding packets to other networks, and changing the host source of packets to implement IP masquerading.

Note 

The ipchains package is the precursor to iptables that was used on Linux systems running the 2.2 kernel. It is still in use on many Linux systems. The Linux Web site for ipchains, which is the successor to ipfwadm used on older versions of Linux, is currently www.netfilter.org/ipchains/.

The Netfilter software package implements both packet filtering and NAT tasks for the Linux 2.4 kernel and above. The Netfilter software is developed by the Netfilter Project, which you can find out more about at www.netfilter.org. The command used to execute packet filtering and NAT tasks is iptables, and the software is commonly referred to as simply iptables. However, Netfilter implements packet filtering and NAT tasks separately using different tables and commands. A table will hold the set of commands for its application. This approach streamlines the packet-filtering task, letting iptables perform packet-filtering checks without the overhead of also having to address translations. NAT operations are also freed from being mixed in with packet-filtering checks. You use the iptables command for both packet filtering and NAT tasks, but for NAT you add the -nat option.

The iptables software can be built directly into the 2.4 kernel or loaded as a kernel module, iptable_filter.o. Unlike its predecessor, ipchains, Netfilter is designed to be modularized and extensible. Capabilities can be added in the form of modules such as the state module, which adds connection tracking.

Note 

The iptables package includes backward-compatible modules for both ipfwadm and ipchains. In fact, iptables is very similar to ipchains. You can still use ipchains and the earlier ipfwadm commands by loading the ipchains.o or ipfwadm.o modules provided with the Netfilter software. These provide full backward compatibility.



Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.