Understanding Firewalls: Concepts, Types, and Linux iptables Explained

1. Firewall Concept

Firewall (Firewall), also called protective wall, was invented by Gil Shwed, founder of Check Point, in 1993 and introduced to the Internet (US5606668 (A) 1993-12-15).

It is a network security system placed between internal and external networks, enforcing information security by allowing or restricting data transmission according to specific rules.

In networking, the firewall filters communication packets that carry data.

A firewall separates the internal network from the public Internet, acting as an isolation technique. It enforces access control, permitting approved traffic while blocking unwanted traffic, thereby preventing hackers from accessing the internal network.

2. Development History

Firewalls have gone through four development stages since their inception:

Router-based firewalls

User-oriented firewall toolkits

Firewalls built on general-purpose operating systems

Firewalls with dedicated security operating systems (e.g., NETEYE, NETSCREEN, TALENTIT)

3. Basic Types of Firewalls

Network-layer Firewall

A network-layer firewall functions as an IP packet filter operating at the TCP/IP stack, allowing only packets that match defined rules and blocking all others (except viruses, which it cannot prevent).

Application-layer Firewall

Operating at the application layer of the TCP/IP stack, it intercepts all packets entering or leaving a specific application (e.g., web browsers, FTP) and can drop unwanted packets, theoretically blocking all external traffic to protected machines.

Database Firewall

A database firewall analyzes and controls database protocol traffic, enforcing access control, blocking dangerous operations, and auditing suspicious behavior. It inspects SQL protocols, permits legitimate SQL commands, blocks illegal operations, and provides SQL injection prevention and virtual patching.

4. Linux Firewall

Linux firewalls are widely used in enterprises, with examples such as:

SMBs and internet cafés using iptables as NAT routers to reduce costs.

IDC data centers replacing hardware firewalls with Linux firewalls.

Combining iptables with Squid to create transparent proxies without client configuration.

Using iptables extensions to block P2P traffic and illegal web pages.

Mapping external IPs to internal IPs with iptables.

Mitigating lightweight DoS attacks like ping floods and SYN floods.

In summary, iptables can operate in two modes: host firewall and NAT router.

5. Basic Principles

Firewall processing can be divided into the following layers:

Packet filtering: works at the network layer, decides based on IP address, port, protocol, etc.

Application proxy: works at the application layer, uses proxy programs to inspect data.

Stateful inspection: works at layers 2–4, evaluates entire connections using rule and state tables.

Complete content inspection: works across layers 2–7, analyzes packet headers, states, and application-layer protocols for thorough threat detection.

6. Netfilter and iptables

Netfilter, proposed by Rusty Russell for the Linux 2.4 kernel, provides a flexible firewall framework supporting packet filtering, NAT, MAC filtering, stateful inspection, rate limiting, and more. iptables is the user‑space tool that configures Netfilter's rule tables.

Netfilter is the kernel module implementing packet filtering; iptables is the command‑line program that manages the kernel's rule sets (tables, chains, rules). Similar tools include firewalld.

Although many associate firewalls with iptables, the actual filtering is performed by Netfilter; iptables merely programs Netfilter.

7. Performance

Key performance metrics include throughput, latency, packet loss rate, back‑to‑back transmission, and the maximum number of concurrent connections the firewall can handle.

8. Limitations

Firewalls cannot protect against attacks that bypass them, cannot block harmful traffic that uses allowed ports, and struggle to prevent internal attacks or misuse.