Mastering Linux Netfilter: Core Tools and Their Functions

Netfilter Overview

Netfilter is a Linux kernel subsystem created by Rusty Russell in 1998 and merged into the main kernel in March 2000. Its modular design inserts extensible hooks at several points in the packet‑processing path, allowing kernel‑level code to filter packets, perform address or port translation, drop traffic, and generate log events.

User‑space utilities interacting with Netfilter

ebtables : Manages rule tables for Ethernet frames. It operates similarly to iptables but works at the data‑link layer, where the protocol is simpler.

arptables : Provides a user‑space interface for creating and maintaining ARP rule tables in the kernel, enabling filtering of ARP traffic.

iptables / ip6tables : The primary tools for defining IPv4 and IPv6 packet‑filtering rules. They support multiple tables (e.g., filter, nat, mangle), built‑in chains (INPUT, OUTPUT, FORWARD) and user‑defined chains.

nftables : The newer, unified packet‑filtering subsystem that replaces iptables, ip6tables, arptables and ebtables. It provides a single syntax and a single kernel interface.

conntrack : Offers a full‑featured user‑space interface to Netfilter's connection‑tracking subsystem, allowing inspection, listing, searching and manipulation of tracked connections.

ulogd : A daemon that receives log records generated by Netfilter/iptables and writes them to files, databases or remote collectors.

nf_log : Supplies logging services for Netfilter. Rules added via nft can generate log events that are consumed by ulogd2.

nf_queue : Kernel module exposing the ip_queue / nfnetlink_queue mechanism. It hands packets to user‑space applications for custom processing, enabling user‑space firewalls.

These utilities together form the backbone of Linux network security and traffic management, allowing administrators and developers to implement sophisticated firewall policies, NAT, and monitoring directly within the kernel.