Iptables

is Article description::a program used to configure and manage the kernel's netfilter modules.

Prerequisites
First off, configure the kernel with netfilter support. To allow adding rules based on IP filtering like black listing IP addresses based on a live feed, do not forget to add IPSet support to the kernel and merge the package.

Client
For client computers some basic options need to be activated in the kernel. This configuration does not provide network address translation or any other high sophisticated features. In "Network packet filtering framework" only the tables "filter" are needed with connection tracking support and with REJECT target support.

Router
Activate the following kernel options:

One can setup the IPv6 support category as modular () to be safe and enable almost all Netfilter sub-categories as well. Or, enable only what is needed and leave the other modules unset. A number of settings are almost always needed:


 * IP virtual server support core components (scheduler are certainly optional)
 * IP: Netfilter Configuration support
 * IPv6: Netfilter Configuration for IPv6 support
 * IP set support for IP filtering based on IP, MAC, ports
 * pick up what is needed in Core Netfilter Configuration with at least:
 * Netfilter: NFQEUE, LOG;
 * Connection tracking: flow, mark, events, netlink;
 * Netfilter Xtables: NFQEUE, LOG, conn{bytes,mark,state}, state helper with Xtables match: conn{bytes,mark,state}...

Emerge
Install iptables:

First run
For some services such as sshguard and fail2ban a running firewall is mandatory. First save a blank firewall rule set and start the firewall.

IPv4
To start on boot:

IPv6
To start on reboot:

General rules
To create firewall rules, the or  commands in the next set of examples will be defined through   or. When the rules are saved, they are usually stored in or. This allows the firewall service to reload the rules at boot time.

Let's begin with a little example:

This will implement a fairly strong firewall: it will drop every packet that will be sent to the host (as this matches the INPUT chain).

The following examples show how firewall rules are further generated.

Stateless firewall
Traditional firewalls use stateless firewall rules like so:

That simply allows the local port 80 to accept traffic ( configures the destination port), which usually implies HTTP servers as those generally listen on port 80).

Stateful firewall
In a stateful firewall approach, the previous example would be handled like so:

By default, everything will be dropped like a hot potato. However, incoming traffic might be accepted based on the connection state of the packets (starting with NEW and further allowing all established/related traffic). Performance-wise, it would even be better to place the last line before the second to avoid going into complicated filtering chains for already related and established connections.

This is how a stateful firewall operates to avoid opening unneeded holes and accept in/outbound packets based on the state of the packets.

Generating firewall rules for client
A script as simple as shown below should be sufficient for most client computers. Store it in a safe place such as ~/firewall. It is only needed for first-time initialization of the firewall rules.

An example of a more sophisticated rule set with logging is shown in this forum discussion.

Generating firewall rules for server
This section will try to build up your above script with a set of rules for common external-facing services. Append these to ~/firewall.

I highly recommend adding ssh rules below if you are working on a remote server through ssh.

After saving your desired firewall rules.

This will load your firewall rules into iptables and ip6tables.

Will save your iptables and ip6tables so they are available the next time iptables service is loaded.

If you need to add a rule. Run it in the command prompt (like individual rules in ~/firewall).

Also add it to ~/firewall if you are sure if you ever reset your firewall, you want those settings back in.

Once satisfied run:

Also. If anything ever goes drastically wrong. You may reset your filewall settings by running ~/firewall, proceeded by the above save.

IPv4
Print all rules (similar to )ː

Like every other command, it applies to the specified table (of which   is the default), so NAT rules get listed byː

IPv6
Print all rules (similar to )ː

Like every other command, it applies to the specified table (of which   is the default), so NAT rules get listed byː

Migration to nftables
All tools to export and translate to nftables are part of the iptables package. The migration requires the following steps in general :


 * 1) emerge iptables with USE flag nftables to add necessary tools
 * 2) export iptables rules to a file
 * 3) translate exported iptables rules to nftables rules
 * 4) replace iptables with nftables

If you are certain that the machine will either revert to iptables in case of errors or work correctly with the translated nftables rules:

External resources

 * Forums posting with ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
 * firewall-mv
 * IPv6