An overview of iptables

A common misconception is that iptables is the name of the Linux firewall. In reality, the name of the Linux firewall is netfilter and every Linux distro has it built-in. What we know as iptables is just one of several command-line utilities that we can use to manage netfilter. It was originally introduced as a feature of Linux kernel, version 2.6, so it's been around for a long time. With iptables, you do have a few advantages:

• It's been around long enough that most Linux admins already know how to use it
• It's easy to use iptables commands in shell scripts to create your own custom firewall configuration
• It has great flexibility, in that you can use it to set up a simple port filter, a router, or a virtual private network
• It comes preinstalled on pretty much every Linux distro, although most distros don't come with it preconfigured
• It's very well documented, with free of charge, book-length tutorials available on the internet

But, as you might know, there are also a few disadvantages:

• IPv4 and IPv6 require their own special implementation of iptables. So, if your organization still needs to run IPv4 while in the process of migrating to IPv6, you'll have to configure two firewalls on each server, and run a separate daemon for each (one for IPv4, the other for IPv6).
• If you need to do Mac bridging that requires ebtables, which is the third component of iptables, with its own unique syntax.
• arptables, the fourth component of iptables, also requires its own daemon and syntax.
• Whenever you add a rule to a running iptables firewall, the entire iptables ruleset has to be reloaded, which can have a huge impact on performance.

Until recently, iptables was the default firewall manager on every Linux distro. It still is on most distros, but Red Hat Enterprise Linux 7 and all of its offspring now use a newer technology called firewalld. Ubuntu comes with Uncomplicated Firewall (ufw), an easy-to-use frontend for iptables. An even newer technology that we'll explore at the end of the chapter is nftables.

For the purposes of this chapter, we'll only look at the IPv4 component of iptables. (The syntax for the IPv6 component would be very similar.)