netfilter Operation: Part Three

The firewall GUI in Fedora.

The firewall GUI in Fedora.

The next step is to demonstrate how to configure the netfilter firewall. This is a critical step and the firewall should only be installed and configured after the underlying OS has been installed, updated, and hardened. We assume here that you are working with an otherwise secure system and now need to configure the firewall’s functionality.

To make sure the firewall is enabled, you can run chkconfig –list, which lists all of the services and the run levels they are configured to start in. For example, you may get the following output:

chkconfig –list | grep iptables

iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

This output tells you that iptables will start in run levels 2-5. You can set it to run in run levels 2-5 by using the chkconfig -level 2345 iptables on command. If you are using a GUI window manager, you probably have another graphical application to see this information. For example, in Fedora, you can navigate to System -> Administration -> Security Level and Firewall.

You can enable or disable the firewall by going to the Firewall Options tab and selecting Enabled or Disabled. The interface in Fedora allows you to perform limited configurations of the firewall rules (e.g., by checking the Trusted Service SSH, a rule would be added to allow inbound connections on TCP port 22). Because any graphical interface provided will likely vary from one distribution to another, we use the command line to configure the firewall.


netfilter Operation: Deleting Rules and Chains

With many Linux distributions, the netfilter firewall will become enabled, but with an empty ruleset. In others, it might come with the firewall enabled and a very liberal ruleset in place. We can start configuring a Linux firewall by deleting any default rules that are present. You can use iptables -L (or –list) to list the current rules. An empty default ruleset should look like this:

iptables -L
Chain INPUT (policy ACCEPT)
Target prot opt source destination

Chain FORWARD (policy ACCEPT)
Target prot opt source destination

Chain OUTPUT (policy ACCEPT)
Target prot opt source destination

If there are any default rules present, they can be deleted using the iptables -F command. The -F option means to flush, which is equivalent to using -flush. This will clear all rules out of any existing chains. If distribution has any additional chains created beyond the default, you can delete a custom chain by using the iptables -N customchain command. In addition to the individual rules within a chain, the built-in chains have a default policy associated with them. This policy tells netfilter what to do if a packet reaches the end of the chain without finding a match. While the default policy is to ACCEPT, it is better to change this to DROP by using the -P option, which sets the default policy for that chain, as follows:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

We will continue our look at netfilter configuration in the next article.


External Links:

Basic Fedora Linux Firewall Configuration at www.techtopia.com

netfilter Operation: Part One

netfilter operationBefore covering some of the specific commands used to configure the Linux firewall, I will cover some basic Linux firewall vocabulary and some of the basics of netfilter operation. netfilter contains the firewall logic, and iptables is the program that is used to modify the rules that the firewall uses. These rules (or ACLs) define the rules used to permit or deny packets and how to react to denied packets. The current iptables use both tables and chains. Tables are the blocks of processing where various actions are performed on the packets. Different tables process different chains. Chains are a set of rules (or ACLs). There are four built-in tables that help define netfilter operation: nat, mangle, filter and raw, each of which processes different chains.

netfilter Operation: Tables and Chains

The following tables and chains are not listed in any particular order, as a given packet may be impacted by multiple tables and chains as it is processed. The primary built-in chains are INPUT, OUTPUT, and FORWARD. In addition to these, you can create your own user-defined chains to customize netfilter operation.


  • Nat Table: In netfilter operation, this table is referenced with a packet that is used to create a new connection.
    • PREROUTING: This chain is processed as soon as a packet is received and before any routing decisions are made.
    • POSTROUTING: This chain is processed before a packet is sent to an interface but after any routing decisions have been made.
    • OUTPUT: This chain is processed for packets generated locally.
  • Filter Table: This is the default table that is used when the iptables command is used to modify the rules and do not specify an alternate table. This is where the bulk of a firewall’s processing is consumed.
    • INPUT: This chain is processed for packets destined for the local system.
    • FORWARD: This chain is processed for processed for packets passing through the local system.
    • OUTPUT: This chain is processed for packets generated by local system.
  • Mangle Table: This table is used for any specialized packet alterations that are needed. Examples are performing Network Address Translation (NAT) or manipulating various bits within the packet.
    • PREROUTING: This chain is processed on incoming packets before a routing decision is made.
    • POSTROUTING: This chain is processed last before a packet is sent to an interface.
    • OUTPUT: This chain is processed before a routing decision is made for packets generated locally.
    • INPUT: This chain is processed for packets destined for the local system.
    • FORWARD: This chain is processed for packets passing through the local system.
  • Raw Table: This table is primarily used for packets that are exempt from connection tracking, and if required, are called before any other netfilter table.
    • PREROUTING: This chain is processed as soon as a packet is received.
    • OUTPUT: This chain is processed for packets generated locally.


Now that we have reviewed all the various tables and chains, we can continue our look at netfilter operation by discussing the overall packet flow, which we will do in the next article.

External Links:

Netfilter Overview at www.shorewall.net

How the netfilter System Works at www.mad-hacking.net

© 2013 David Zientara. All rights reserved. Privacy Policy