**iptables** is a command line utility for configuring Linux kernel **firewall** implemented within the https://en.wikipedia.org/wiki/Netfilter[Netfilter] project. The term ''iptables'' is also commonly used to refer to this kernel-level firewall. It can be configured directly with iptables, or by using one of the many
**iptables** is used for https://en.wikipedia.org/wiki/IPv4[IPv4] and ''ip6tables'' is used for ihttps://en.wikipedia.org/wiki/IPv6[IPv6]. Both ''iptables'' and ''ip6tables'' have the same syntax, but some options are specific to either IPv4 or IPv6.
Very easy to configure, handy to manage and highly customizable. Supports: NAT and SNAT, port forwarding, ADSL ethernet modems with both static and dynamically assigned IPs, MAC address filtering, stealth port scan detection, DMZ and DMZ-2-LAN forwarding, protection against SYN/ICMP flooding, extensive user definable logging with rate limiting to prevent log flooding, all IP protocols and VPNs such as IPsec, plugin support to add extra features.|
- FireHOL Language to express firewalling rules, not just a script that produces some kind of a firewall. It makes building even sophisticated firewalls easy - the way you want it.
http://firehol.sourceforge.net
- firewalld (firewall-cmd) Daemon and console interface for configuring network and firewall zones as well as setting up and configuring firewall rules.
firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. The program runs on Linux, FreeBSD, OpenBSD, Windows and macOS and can manage both local and remote firewalls.
http://fwbuilder.sourceforge.net[fwbuilder]
- firewalld
(firewall-config) Daemon and graphical interface for configuring network and firewall zones as well as setting up and configuring firewall rules.
https://firewalld.org[firewalld]
- FireStarter
High-level GUI Iptables firewall for Linux systems
iptables is used to inspect, modify, forward, redirect, and/or drop IP packets.
- The code for filtering IP packets is already built into the kernel and is organized into a collection of **tables**, each with a specific purpose.
- The tables are made up of a set of predefined **chains**, and the chains contain **rules** which are traversed in order.
- Each rule consists of a predicate of potential matches and a corresponding action (called a **target**) which is executed if the predicate is true; i.e. the conditions are matched.
- If the IP packet reaches the end of a built-in chain, including an empty chain, then the chain's **policy** target determines the final destination of the IP packet.
Packet filtering is based on **rules**, which are specified by multiple **matches** (conditions the packet must satisfy so that the rule can be applied), and one **target** (action taken when the packet matches all conditions).
- what interface the packet came in on (e.g eth0 or eth1),
- what type of packet it is (ICMP, TCP, or UDP),
- or the destination port of the packet.
Targets are specified using the **-j** or **--jump** option.
Targets can be either
- user-defined chains (i.e. if these conditions are matched, jump to the following user-defined chain and continue processing there), one of the special built-in targets,
- or a target extension.
[NOTE]
====
- Built-in targets are **ACCEPT**, **DROP**, **QUEUE** and **RETURN**
- target extensions are, for example, **REJECT** and **LOG**.
====
- If the target is a built-in target, the fate of the packet is decided immediately and processing of the packet in current table is stopped.
- If the target is a user-defined chain and the fate of the packet is not decided by this second chain, it will be filtered against the remaining rules of the original chain.
Target extensions can be either **terminating** (as built-in targets) or **non-terminating** (as user-defined chains)
A network packet received on any interface traverses the traffic control chains of tables in the order shown in the http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart]
- The first routing decision involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the **INPUT chains**
- Subsequent routing decisions involve deciding what interface to assign to an outgoing packet.
At each chain in the path, every rule in that chain is evaluated in order and whenever a rule matches, the corresponding target/jump action is executed.
- If at any time a complete match is achieved for a rule with a **DROP** target, the packet is dropped and no further processing is done.
- If a packet is **ACCEPT**ed within a chain, it will be **ACCEPT**ed in all superset chains also and it will not traverse any of the superset chains any further.
The first three commands are exemplified in the following.
First of all, our computer is not a router (unless, of course, it is a router). We want to change the default policy on the FORWARD chain from ACCEPT to DROP.
This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible.