Netfilter and iptables: Stateful firewalling for Linux

... the latest Linux kernel, version 2.4, offers a number of improvements over the 2.2 kernel that make Linux a viable alternative for corporate firewalls. Netfilter, Linux's in-kernel "packet mangling" infrastructure, and iptables, the administrative tool that manages it, represent a substantial improvement over ipchains, the previous option available under the 2.2 kernel. Netfilter offers a much more integrated and capable infrastructure than did ipchains, while iptables offers reasonable backwards compatibility with ipchains and ipfwadm rulesets while still offering administrators the possibility of improving firewall implementations under Linux.

Stateless packet filters are simpler to implement, but more complicated to configure, and ultimately much less secure than packet filters that do keep state. From the perspective of stateless packet filters, every packet that arrives is a new packet (with no relationship to any packet that came before or after). Since most useful network conversations have two sides, stateless packet filters need two rules for each kind of network traffic they allow--one for the request and another for the reply.

All network conversations using TCP/IP have a source IP address, a source port, a destination IP address and a destination port. So, to permit client computers on the internal network to browse the Web, stateless packet filters must allow outbound traffic to all computers on port 80 (the common World Wide Web port) and allow inbound traffic from port 80 to all computers on the internal network. Web requests will come from a randomly chosen, high source port on internal machines; consequently, traffic must be permitted to enter the network on all high ports.

The link for this article located at ZDNet is no longer available.