Linux Firewall and Masquerading:
The IP Chains Concept in Linux 2.2

Terrehon Bowden and Bodo Bauer

Figure 1 | Figure 2 | Listing 1 | Listing 2 | Listing 3 | Listing 4 | Table 1 | Table 2 | Table 3

Among the many challenges resulting from the over-discussed growth of the Internet are the need for more usable local IP addresses and the need for a reasonable balance between security and access to Internet resources. Installing a firewall is one form of protection. The Linux kernel supports packet filtering, which can be used to implement a simple form of a firewall. One way to gain more usable local IP addresses is to implement a technique called masquerading, in which you hide entire networks with unregistered addresses behind one registered address.

This article gives an introduction to the Linux packet filter mechanisms, which can be used to masquerade packets and to build a firewall. SuSE Linux ships with a set of scripts that implement simple firewalling and masquerading techniques using these kernel features. We will discuss how they work and how to configure them. The scripts shipping with SuSE Linux 6.1 work only with kernels of the 2.0 series. The handling of firewall rules changed in kernel version 2.2. This article covers the new scheme used in the 2.2 series kernels.

The Kernel Packet Filter

Linux has supported packet filtering for quite a while. With version 2.2 of the kernel, there is a significant change in the structure of this service. The basic principles remain the same. There are chains of rules against which the IP packets are matched.