The multilayered kernel firewall is built on netfilter, moving towards Berkely Packet Filter architecture. There are two options for interacting with it:
-
ip_tables is the original kernel module, and comes with the
iptables
user utility (notice the missing underscore for the user utility). -
nf_tables is the new implementation, and has backwards compatibility w/ user utility
iptables
- but you would usenft
.
Note: there are other kernel modules associated with each- ip_tables has x_tables, eb_tables, etc, and tons of accessory modules. It's complicated, but this is the basic gist.
It seems like both backend interfaces can largely be enabled at the same time. They both use netfilters, but I'm not sure how they interact with each other completely. nf_tables is said by some to "Not be production ready". Docker still use iptables style rules. It's not recommended to mix nft
and iptables
style rules.
Tables are containers for chains, which include rules. When a packet is being checked, its chain is determined by what stage of processing it's in (warning: complex graph of stages), and then each of that chain's rules are evaluated one-by-one until there is a match which does something final (eg. DROP). Chains can jump to other chains, and then resume where they left off.
iptables |
nft |
|
---|---|---|
applications | ip_tables actually uses a seperate user utility for ipv4 (where we focus), ipv6, arp, bridging | nft is the only utility |
tables | there are five tables: raw, filter (our focus), nat, mangle, security | you create tables and give them a family: ip, ip6, inet (ip + ip6), arp, bridge- equiv to the iptable's seperate applications |
chains | there are five basic chains: prerouting, postrouting, input, output, forward. These are hooked into the kernel. You can also jump to user-defined chains. | All chains are user defined, but they can be specified as "base" and be "hooked" into input, output, forward, etc- replacing the five basic chains of iptables. They also have three types: nat, filter, and route. |
rules | rules are rules: they try to match packet headers/metadata/whatever and then do something, like drop, accept, etc | same as iptables |
Please understand that not every feature described in the table can be used with every feature. For example, application/table-family "nat" doesn't use chain/hook "input"- it uses chain/hook "forward".
You can look up the syntax for iptables
of nft
, as well as all the technical vocabulary, and caveats. This explanation was just to get you out of the weeds to understanding what these things do. Also, this is a good example for iptables: https://www.digitalocean.com/community/tutorials/how-to-implement-a-basic-firewall-template-with-iptables-on-ubuntu-14-04.
The netfilters backend and iptables/ntf tools are very complex because linux is used in the heart of networking- routers, VPNs and stuff- so these are professional tools with lots of options. Firewalld and UFW seem to be popular interfaces to make it easier among desktop/webapp programmers.