Firewall Software for Linux
The Linux kernel has a built-in firewall called iptables that is based on netfilter, the older and highly inefficient precursor to iptables. Since iptables is so integrated into the core of Linux and was designed to be so efficient, almost all firewall applications for Linux are simply graphical interfaces or simplifications of the iptables command line interface that is notoriously complex.
Other People Are Reading
-
History
-
Modern iptables evolved from Netfilter, a project for intercepting and manipulating network data in real time. Netfilter was first created and added to Linux around 1998, rapidly developing since then. By Linux kernel 2.2, Netfilter had transformed into ipchains, an early predecessor to iptables that combined firewall rules along with Network Address Translation. As the project progressed, ipchains became iptables by Linux kernel 2.4, implementing a separate table architecture that stored different hooks or rules on a per-table basis. This allowed for very specific manipulation of packets. Now, iptables is used on every Linux machine and provides the backbone for most firewall suites for the Linux operating system.
Complexity
-
Interacting with iptables directly involves working from the command line. Rules are added to a series of tables that can be seen with the "iptables -L" command. Rules must be properly arranged otherwise the entire table may fail to function properly. Additionally, any incorrect values could lead to system services being interrupted. The complexity of command line interaction with iptables has lead many to use graphical configuration consoles. Manipulating iptables from the command line functionally is often seen by even professional network staff as an impressive ability.
-
Graphical Tools
-
There are dozens of firewall tools that provide graphical interfaces for configuring iptables. Some of the most popular are fwbuilder, Turtle Firewall Project, Easy Firewall Generator and bifrost. Most Linux distributions will have an extensive list in their software repositories if you search for iptables. The varied needs of users has led to a number of tools both highly complex and rudimentary. For first-time iptables users who want to learn how to manipulate tables from the command line, using a graphical front end and then reading the saved rules is one of the easiest ways to learn.
Future
-
Like Netfilter and ipchains before it, iptables will eventually be replaced in a future version of the Linux kernel. Currently, iptables are divided among IPv4, IPv6, ARP, and Ethernet rules. A new alpha project from the same developer called nftables will combine all four interfaces for easier manipulation. Although the project is in development, users should still take time to learn iptables since the same configuration principles will likely be migrated to nftables.
-
