Classnotes | UNIX03 | RecentChanges | Preferences All traffic through a network is sent in the form of packets. For example, downloading a webpage of, say, 50k worth of data might cause you to receive 36 or so packets of 1460 bytes each.
The start of each packet says where it's going, where it came from, the type of the packet, and other administrative details. This start of the packet is called the header. The rest of the packet, containing the actual data being transmitted, is usually called the body.
Some protocols, such TCP, which is used for web traffic, mail, and remote logins, use the concept of a `connection'. A connection is where, before any packets with actual data are sent, various setup packets (with special headers) are exchanged saying `I want to connect', `OK' and `Thanks', after which normal packets are exchanged.
So What's A Packet Filter?
A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It might decide to DROP the packet (i.e., discard the packet as if it had never received it), ACCEPT the packet (i.e., let the packet go through), or something more complicated.
Under Linux, packet filtering is built into the kernel, either as a loadable module, or compiled in.
Why Would I Want to Packet Filter?
Control. Security. Watchfulness.
Control: When you are using a Linux box to connect your internal network to another network (say, the Internet) you have an opportunity to allow certain types of traffic, and disallow others. For example, the header of a packet contains the destination address of the packet, so you can prevent packets going to a certain part of the outside network. As another example, I use Mozilla to access the Gamers.com archives. There are advertisements from doubleclick.net on the pages, and Netscape wastes my time by cheerfully downloading them. Telling the packet filter not to allow any packets to or from the addresses owned by doubleclick.net solves that problem (there are better ways of doing this though- Junkbuster, for example, or the hosts tweak we looked at in UNIX02).
Security: When your Linux box is the only thing between the chaos of the Internet and your nice, orderly network, it's good to know you can restrict what comes tromping in your door. For example, you might allow anything to go out from your network, but you might be worried about the well-known `Ping of Death' coming in from malicious outsiders. As another example, you might not want outsiders telnetting to your Linux box, even though all your accounts have passwords. Maybe you want (like most people) to be an observer on the Internet, and not a server (willing or otherwise). Simply don't let anyone connect in, by having the packet filter reject incoming packets used to set up connections.
Watchfulness: Sometimes a badly configured machine on the local network will decide to spew packets to the outside world. It's nice to tell the packet filter to let you know if anything abnormal occurs; maybe you can do something about it, or maybe you're just curious by nature.
How Do I Packet Filter Under Linux?
Linux kernels have had packet filtering since the 1.1 series. The first generation, based on ipfw from BSD, was ported by Alan Cox in late 1994. This was enhanced by Jos Vos and others for Linux 2.0; the userspace tool `ipfwadm' controlled the kernel filtering rules. In mid-1998, for Linux 2.2, Rusty Russell reworked the kernel quite heavily, with the help of Michael Neuling, and introduced the userspace tool `ipchains'. Finally, the fourth-generation tool, `iptables', and another kernel rewrite occurred in mid-1999 for Linux 2.4.
If you are using a 2.4 kernel, it must have the netfilter infrastructure in it: netfilter is a general framework inside the Linux kernel which other things (such as the iptables module) can plug into. This means you answer `Y' to CONFIG_NETFILTER in the kernel configuration.
The tool iptables talks to the kernel and tells it what packets to filter. Unless you are a programmer, or overly curious, this is how you will control the packet filtering.
If you are using a 2.2 and before kernel (or if you really want it in 2.4) you will need to set the following parameters in the kernel configuration:
CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y
You configure both IPTables and IPChaings using a rule base (which we will look at today).
Making Rules Permanent
Your current firewall setup is stored in the kernel, and thus will be lost on reboot. You can try the iptables-save and iptables-restore scripts to save them to, and restore them from a file.
The other way is to put the commands required to set up your rules in an initialization script. (This is what we will be doing in this class).
