Master Linux Network Security: Firewall, IDS, IPS, and iptables Deep Dive

1. Linux Network Security Model

1. Firewall : A hardware or software (or both) component placed at the host or network edge that inspects inbound and outbound packets against defined rules and processes them accordingly.

Typical firewall devices:

Hardware firewall – a dedicated appliance positioned at the network entrance.

Software firewall – runs on the host within the TCP/IP stack, often in the kernel.

Firewall deployment locations:

Network layer – operates like a router, inspecting IP/TCP/UDP/ICMP headers to apply rules.

Application layer – inspects payload after stripping network and transport headers.

2. IDS (Intrusion‑Detection System)

HIDS (Host‑based IDS): e.g., OSSEC.

NIDS (Network‑based IDS): e.g., Snort, which can also act as a packet sniffer.

Filesystem‑level detection.

3. IPS (Intrusion‑Prevention System) : Combines IDS detection with firewall actions.

4. Honeypot : A decoy system used to lure attackers and collect evidence.

5. Vulnerability scanning tools : Nessus, nmap, etc., for system security assessment.

6. Rootkit : Low‑level backdoor that embeds in the system and is difficult to detect; remediation usually requires reinstalling the OS.

2. iptables Working Mechanism

1. iptables / netfilter : A network‑layer firewall framework that supports stateful connection tracking. Rules are processed by the kernel’s netfilter subsystem.

2. Five hook points for packet processing (PREROUTING, INPUT, OUTPUT, FORWARD, POSTROUTING) and the associated tables (filter, nat, mangle, raw).

Hook locations and allowed tables:

PREROUTING – tables: mangle, nat (destination NAT).

INPUT – tables: filter, mangle.

OUTPUT – tables: filter, mangle, nat.

FORWARD – tables: filter, mangle.

POSTROUTING – tables: mangle, nat (source NAT).

Table‑chain mapping:

filter: INPUT, FORWARD, OUTPUT

nat: PREROUTING, OUTPUT, POSTROUTING

mangle: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

raw: PREROUTING, OUTPUT

3. Rule actions (what happens after a match):

DROP – silently discard the packet.

REJECT – send an error response (generally discouraged).

ACCEPT – allow the packet.

SNAT – source address translation.

DNAT – destination address translation.

REDIRECT – port redirection.

LOG – log the packet.

RETURN – stop processing the current chain.

4. Protocol fields inspected :

IP: source IP (SIP), destination IP (DIP).

TCP: source port (SPORT), destination port (DPORT), flags.

ICMP: type (e.g., ping).

5. TCP flag state machine (illustrated below):

TCP communication involves flag exchanges and state transitions, which are key elements for rule matching.

6. Extended matching mechanisms :

time – match based on time of day.

application‑layer protocols (e.g., QQ).

string – match sensitive strings.

state – connection‑tracking status.

For detailed iptables commands and examples, see the follow‑up article.