netfilter

Linux has a very comprehensive set of modules for filtering and changeing network packets as they flow by the network stack. However, this framework has been through several major and quite a few minor re-designs (the last major one seems to be the introduction of the nf_conntrack subsystem i 2.6.15).

There are vast amounts of documentation available on the web, but very little is up to date with the last changes. I will try to summarize my experiences with kernel 2.6.32.

Some pointers for good places to start:

• This is a good introduction, which also covers the last changes (pdf)
• The authorative source is netfilter.org, but most documentation there is outdated by almost a decade.
• This tutorial from Oskar Andreasson is not too out of date
• You can also take a look at the wikipedia page for iptables which has a nice flowchart

A quick introduction for the impatient:

• Each network packet is sent through a set of tables
• For each table, the packet is sent through a set of chains, which chains depend on the final destination of the package; inbound, outbound or routing through (see the drawing on wikipedia for a full picture
• Each chain has a default rule, and can have a set of additional rules
• Each rule is a filter and a command. The filter can be anything that the netfilter framework can find in the package: interface, source, destination, port, protocol etc. The command is either a pre-defined one (DROP, ACCEPT, REJECT etc) or a user-defined table. The filter kan be regarded as an "if"-statement, and the command as a functin call. But pay attention that not all commands make sense in all tables or all chains. Read the documentation for details.