Introduction IPTables Firewall
A firewall in IT terms is a software or hardware solution which tries to block as much as possible evil network traffic, while allowing usefull traffic. Firewalls can be either implemented in existing network devices like routers, as separate devices with the sole function to protect a network or in the first layers of the networking stack on a networked computer. Iptables is a software solution which is available on most Linux computers with a kernel version 2.4 or newer. To be honest we have to say that iptables is not the firewall itself. The iptables program is a frontend which can be called from the command line to alter filter tables in the kernel. The real firewall is present in the kernel. Because most people will only use the iptables program, it is often referred to as the Linux firewall and we will do it here also for convenience.
Network packets entering or leaving a networked Linux computer pass a number of tables in the kernel. Each table contains zero or more simple rules where the IP address or specific properties of a packet are checked. If a rule matches, a number of actions can be triggered. A network packet can be simply ignored, accepted, rejected or forwarded to another table with rules. Although the principle of this firewall system is simple, it is often quite difficult to setup a decent firewall which matches the need of a specific situation. This is partly because it needs understanding of the underlying structure, and partly because there is no real good documentation which explains the working in such a way that is can be easily understood by people who aren’t a network administrator. There is also the problem that you can solve a firewall problem in many ways with iptables, where many solutions are not optimal because they are either not scalable, flexible or both. I will explain here the framework of the firewall settings I use on some of my networked Linux computers. Those computers are running the Linux distribution Centos 5.4. If you use a different distribution the location of files may be different, but the general concept remains the same.