Iptables is a powerful firewall integrated into the Linux kernel itself and part of the netfilter project (consisting of IPtables, ip6tables, ebtables, arptables and ipset). This firewall is fully configurable:
iptables is a firewall tool that allows not only filter packets, but also perform network address translation (NAT) for IPv4 or maintain log records.
In other words,
iptables is the name of the user space tool by which administrators can define policies that filter the traffic flowing through the network.
Iptables starts with the system and remains active all the time, adapting and applying to all network traffic rules which have been previously configured.
There are three types of tables in
The mangle tables, are responsible for the modification of packets, such as TTL or TOS for example, at the time you specify. It is normally used so far we will not stop in this section. Just tell that to the Kernel 2.4.17 consisted of 2 strings:
Since kernel 2.4.18, three new brands were introduced in MANGLE tables:
The NAT (network address translation or network address translation) tables will be consulted when a packet creates a new connection. Allow share a public IP address among many computers, it is essential in many situations by the shortage of IPv4 addresses. Also allow you to add rules that modify the IP addresses of the packets. It contains two main types of rules, SNAT (or IP masquerading) to change the source address and DNAT (or Port Forwarding) for addresses. Amendment contains three chains:
Filtering tables are used by default for the handling of data packets. It is responsible for filtering packages such as the string that is set for each of them to a destination or another, or block. All packets pass through this table, which contains three built-in chains:
Every network packet received by or sent from a Linux system is subject to at least one table. However, a packet may be subjected to multiple rules within each table before emerging at the end of the chain. The structure and purpose of these rules may vary, but usually seek to identify a packet coming from or going to a particular IP address or set of addresses, when using a particular protocol and network service. Regardless of their destination, when packets match a particular rule in one of the tables, are given a goal (target) or share them.
Every chain has a default policy of ACCEPT , DROP , REJECT , or QUEUE. If any of these rules in the chain apply to the packet, then the packet is treated according to the default policy.
These policies are also known as Targets for the above brands and the most common are:
A once the package complies with all the conditions you have specified, if we use the option-j ACCEPT it will be accepted and not travel more rules in the current chain and any other of the same table. This is important because they clarify the package can be removed in another table.
A once the package complies with all the conditions you have specified, if we use the option-j DROP it will be blocked and will not be processed in any other chain or table. This can have the drawback leave dead sockets and in many cases should use the REJECT target.
This module has the same effect as 'DROP', except that the sender is sent an ICMP error message "port unreachable"
Is used to process packets arriving at a given process, whether accompanied or not addressed to him.