IP Chains&Netfilter - Linux Kernel 2.2.x Firewalling

Linux IP Firewalling Chains is an update to the 2.0 Linux firewalling code for the 2.2
kernel. It has many more features than previous implementations, including:
• More flexible packet manipulations
• More complex accounting
• Simple policy changes possible atomically
• Fragments can be explicitly blocked, denied, etc.
• Logs suspicious packets.
• Can handle protocols other than ICMP/TCP/UDP.

If you are currently using ipfwadm on your 2.0 kernel, there are scripts available to
convert the ipfwadm command format to the format ipchains uses.
Be sure to read the IP Chains HOWTO for further information. It is available at
http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
Netfilter - Linux Kernel 2.4.x Firewalling
In yet another set of advancements to the kernel IP packet filtering code, netfilter
allows users to set up, maintain, and inspect the packet filtering rules in the new 2.4
kernel.
The netfilter subsystem is a complete rewrite of previous packet filtering implementations
including ipchains and ipfwadm. Netfilter provides a large number of improvements,
and it has now become an even more mature and robust solution for
protecting corporate networks.
iptables
is the command-line interface used to manipulate the firewall tables within the kernel.
Netfilter provides a raw framework for manipulating packets as they traverse
through various parts of the kernel. Part of this framework includes support for
masquerading, standard packet filtering, and now more complete network address
translation. It even includes improved support for load balancing requests for a
particular service among a group of servers behind the firewall.
The stateful inspection features are especially powerful. Stateful inspection provides
the ability to track and control the flow of communication passing through the filter.
The ability to keep track of state and context information about a session makes rules
simpler and tries to interpret higher-level protocols.
Additionally, small modules can be developed to perform additional specific functions,
such as passing packets to programs in userspace for processing then reinjecting
back into the normal packet flow. The ability to develop these programs in
userspace reduces the level of complexity that was previously associated with having
to make changes directly at the kernel level.
Other IP Tables references include:
• Oskar Andreasson IP Tables Tutorial80 -- Oskar Andreasson speaks with LinuxSecurity.
com about his comprehensive IP Tables tutorial and how this document can be
used to build a robust firewall for your organization.
• Hal Burgiss Introduces Linux Security Quick-Start Guides81 -- Hal Burgiss has written
two authoritative guides on securing Linux, including managing firewalling.
• Netfilter Homepage82 -- The netfilter/iptables homepage.
• Linux Kernel 2.4 Firewalling Matures: netfilter83 -- This LinuxSecurity.com article describes
the basics of packet filtering, how to get started using iptables, and a list of
the new features available in the latest generation of firewalling for Linux.