Difference between revisions of "Firewall Basics"
(→iptables overview) |
(→iptables overview) |
||
| Line 22: | Line 22: | ||
== iptables overview == |
== iptables overview == |
||
| − | [[File:Iptables.png|right| |
+ | [[File:Iptables.png|right|360px|The tables of iptables]] |
Revision as of 16:26, 28 March 2020
Motivation
Protecting your Linux from threats on the Internet is ever more important today. For this you should turn off any service that you do not need and also keep your distribution up to date. A firewall also helps to prevent unwanted guests. Using Linux as a firewall to protect your network is also often a good idea. Last but not least: The NAT (Network Address Translation) built into the Linux firewall code is useful if you want a private network behind a Linux router.
The History of the Linux Firewall, replacing iptables with nftables
In the 1990, even before Linux, there was TCP Wrappers which could be used to protect a server program from access by using a list of IP addressed that would be allowed or denied access to a server. It is still in use today, thought most firewall rules are now handled by the kernel:
The Linux had firewalling code in the kernel since about 1997. Back then it was ipfwadm. With the 2.2 kernels came ipchains. This was then replaced with the iptables firewall. iptables was the Linux firewall for the last 20 years. Modern distributions are now replacing this with the netfilter
or nftables firewall.
In order to set up rules or display the existing rules there are tools that talk to the kernel interface. For iptables the tools was iptables
. For the modern nftables the tools is nft
.
Current kernels have an iptables-compatibilty layer, so even if they run nftables internally, a firewall can still be configured (for the most part) with the old iptables commands.
In order to make the transition towards the new nft rules easier there is a tool named iptables-translate, that has the same syntax as iptables but does not insert any firewall rules into the kernel, instead it prints out which nft command would do the trick. So if you find a documentation that tells you about an iptables command then you can use the tool to find the way to do it in nft.
nft allows more freedom in how you structure your firewalls, but since it is rather new most Linux firewalls, even when they use nft, will follow the iptables structure. Thus I first give you a short overview of iptables:
iptables overview
