Most Linux systems on kernel 2.4 or higher will have Iptables built right in, so you don’t have to install any additional programs. (If your system is earlier than kernel 2.4, it will use Ipchains or Ipfwadm. These are similar systems, but they are not reviewed in this book.) You can issue Iptables statements from the command line or via a script (see the sidebar). To double-check that Iptables is installed, type iptables - L and see if you get a response. It should list your current rule set (which is probably empty if you haven’t configured a firewall yet).

If your system doesn’t have Iptables or if you want to get the latest version of the code, go to www.netfilter.org and download the RPM for your operating system. You can also get it from the CD-ROM that comes with this book.

If you don’t have a Webmin RPM on your installation disks, check www. webmin.com to see if there is a version of Webmin available for your operating system. Webmin is required for the Turtle Firewall, and there are specific versions for each distribution and operating system. If there isn’t one for your particular operating system, then you can’t use Turtle Firewall, but the list of supported systems is quite large. Click on the RPM file in X-Windows and it will install automatically.

Using Iptables

The idea behind Iptables and Ipchains is to create pipes of input and process them according to a rule set (your firewall configuration) and then send them into pipes of output. In Iptables, these pipes are called tables; in Ipchains, they are called chains (of course!). The basic tables used in Iptables are:

• Input
• Forward
• Prerouting
• Postrouting
• Output

The general format of an Iptables statement is

iptables command rule-specification extensions

where command, rule-specification, and extensions are one or more of the valid options. Table 3.2 lists the Iptables commands, and Table 3.3 contains the Iptables rule specifications.

Table 3.2 Iptables Commands

Commands	Descriptions
-A chain	Appends one or more rules to the end of the statement.
-I chain rulenum	Inserts chain at the location rulenum. This is useful when you want a rule to supercede those before it.
-D chain	Deletes the indicated chain.
-R chain rulenum	Replaces the rule at rulenum with the provided chain.
-L	Lists all the rules in the current chain.
-F	Flushes all the rules in the current chain, basically deleting your firewall configuration. This is good when beginning a configuration to make sure there are no existing rules that will conflict with your new ones.
-Z chain	Zeros out all packet and byte counts in the named chain.
-N chain	Creates a new chain with the name of chain.
-X chain	Deletes the specified chain. If no chain is specified, this deletes all chains.
-P chain policy	Sets the policy for the specified chain to policy.

Table 3.3 Iptables Rule Specifications

Rule Specifications	Descriptions
-p protocol	Specifies a certain protocol for the rule to match. Valid protocol types are icmp, tcp, udp, or all.
-s address/mask!port	Specifies a certain address or network to match. Use standard slash notation to designate a range of IP addresses. A port number or range of port numbers can also be specified by putting them after an exclamation point.
-j target	This tells what to do with the packet if it matches the specifications. The valid options for target are: DROP   Drops the packet without any further action. REJECT  Drops the packet and sends an error packet in return. LOG      Logs the packet to a file. MARK    Marks the packet for further action. TOS    Changes the TOS (Type of Service) bit. MIRROR   Inverts the source and destination addresses and sends them back out, essentially “bouncing” them back to the source. SNAT       Static NAT. This option is used when doing Network Address Translation (NAT). It takes the source address and converts it into another static value, specified with the switch --to-source. DNAT        Dynamic NAT. Similar to above but using a dynamic range of IP addresses. MASQ        Masquerades the IP using a public IP. REDIRECT   Redirects the packet.

There are other commands and options but these are the most common operations. For a full listing of commands, refer to the Iptables man page by typing man iptables at any command prompt.
Creating an Iptables Firewall

The best way to learn is to do, so let’s walk through a couple of commands to see how they are used in practical application. Here is an example of how to create a firewall using Iptables. You can enter these commands interactively (one at a time) to see the results right away. You can also put them all into a script and run it at boot time to bring your firewall up at boot time (see the sidebar on writing scripts). Remember to type them exactly as shown and that capitalization is important.