An overview of iptables
A common misconception is that iptables is the name of the Linux firewall. In reality, the name of the Linux firewall is netfilter, and every Linux distro has it built in. What we know is that iptables is just one of several command-line utilities that we can use to manage netfilter. It was originally introduced as a feature of Linux kernel version 2.6, so it's been around for a long time. With iptables, you do have a few advantages:
- It's been around long enough that most Linux admins already know how to use it.
- It's easy to use iptables commands in shell scripts to create your own custom firewall configuration.
- It has great flexibility in that you can use it to set up a simple port filter, a router, or a virtual private network.
- It comes pre-installed on pretty much every Linux distro, although most distros don't come with it preconfigured.
- It's very well documented and has free of charge, book-length tutorials available on the internet.
However, as you might know, there are also a few disadvantages:
- IPv4 and IPv6 each require their own special implementation of iptables. So, if your organization still needs to run IPv4 while in the process of migrating to IPv6, you'll have to configure two firewalld on each server and run a separate daemon for each (one for IPv4, the other for IPv6).
- If you need to do MAC bridging, that requires ebtables, which is the third component of iptables, with its own unique syntax.
- arptables, the fourth component of iptables, also requires its own daemon and syntax.
- Whenever you add a rule to a running iptables firewall, the entire iptables ruleset has to be reloaded, which can have a huge impact on performance.
Until recently, just plain iptables was the default firewall manager on every Linux distro. It still is on most distros, but Red Hat Enterprise Linux 7 and all of its offspring now use the new firewalld as an easier-to-use frontend for configuring iptables rules. Ubuntu comes with Uncomplicated Firewall (ufw), which is also an easy to use frontend for iptables. An even newer technology that we'll explore is nftables, which is available as an option on Debian/Ubuntu systems. On Red Hat 8/CentOS 8 systems, nftables has replaced iptables as the default backend for firewalld. (Don't worry if this all sounds confusing – it will all become clear in good time.)
In this chapter, we'll discuss setting up iptables firewall rules for both IPv4 and IPv6.