Unlocking Linux Netfilter: How the Kernel’s Packet Filter Works and How to Configure iptables

Imagine the Linux networking stack as a bustling city where data packets are vehicles; Netfilter acts as the traffic police, deciding which packets may pass and which must be blocked.

1. Netfilter Overview

Introduced in Linux 2.4, Netfilter is a generic, abstract framework that provides hook functions for packet filtering, NAT, and connection tracking, giving administrators fine‑grained control over network traffic.

It inserts five hook points—NF_IP_PRE_ROUTING, NF_IP_LOCAL_IN, NF_IP_FORWARD, NF_IP_LOCAL_OUT, and NF_IP_POST_ROUTING—where callback functions can inspect, modify, or drop packets.

Netfilter supports multiple protocol stacks (IPv4, IPv6, DECnet) and organizes rules into tables, chains, and individual rules.

2. Netfilter Working Principle

2.1 What is Netfilter

Netfilter is the kernel module that performs packet filtering, forwarding, and NAT. iptables is the user‑space utility used to add, modify, or delete Netfilter rules.

The three main concepts are:

Rule – a match specification and an action.

Chain – an ordered list of rules.

Table – a collection of chains with a specific purpose.

The five hook points are:

PRE_ROUTING – before routing decision.

LOCAL_IN – after routing, before delivery to local process.

LOCAL_OUT – before routing decision for locally generated packets.

FORWARD – for packets being routed through the host.

POST_ROUTING – after routing decision, before leaving the host.

2.2 What is iptables

iptables builds on Netfilter by attaching rules to the hook points. It defines four tables:

filter – default table for INPUT, OUTPUT, FORWARD chains.

nat – for source/destination NAT, attached to PREROUTING, POSTROUTING, OUTPUT.

mangle – for packet header modifications, usable on all chains.

raw – for bypassing connection tracking, attached to PREROUTING and OUTPUT.

3. Netfilter/iptables‑IPv4 Architecture

3.1 Hook Mechanism

Netfilter provides protocol‑independent hook functions that modules can register at any of the five points, allowing inspection or modification of packets.

3.2 iptables Core Data Structures

The central structure is struct ipt_table defined in include/linux/netfilter_ipv4/iptables.h:

struct ipt_table {
  struct list_head list;
  char name[IPT_TABLE_MAXNAMELEN];
  struct ipt_replace *table;
  unsigned int valid_hooks;
  rwlock_t lock;
  struct ipt_table_info *private;
  struct module *me;
};

Key fields: valid_hooks – bitmap of hook points the table listens to. me – prevents removal of a module still referenced by a rule.

The rule entry structure struct ipt_entry links a rule’s match and target:

struct ipt_entry {
  struct ipt_ip ip;
  unsigned int nfcache;
  u_int16_t target_offset;
  u_int16_t next_offset;
  unsigned int comefrom;
  struct ipt_counters counters;
  unsigned char elems[0];
};

Matches are stored in struct ipt_entry_match and actions in struct ipt_entry_target. Helper macros such as ipt_get_target(), IPT_MATCH_ITERATE(), and IPT_ENTRY_ITERATE() simplify traversal.

4. Adding iptables Rules

Basic syntax:

iptables -t <table> -A <chain> <match‑criteria> -j <action>

Common actions: ACCEPT, DROP, REJECT, SNAT, DNAT, REDIRECT.

5. Enterprise‑Level Firewall Configuration

Examples include:

Blocking all SSH (port 22) traffic: iptables -A INPUT -p tcp --dport 22 -j DROP Allowing a specific IP: iptables -I INPUT -s 10.0.0.1 -p tcp --dport 22 -j ACCEPT Restricting an entire subnet: iptables -A INPUT -s 172.16.1.0/24 -d 172.16.1.188 -j DROP Backup strategies (e.g., using sshpass on a CentOS server) and alternative tools like firewalld are also discussed.

6. Applications and Case Studies

Netfilter is used for firewalls, load balancing (via DNAT), VPN integration, and custom kernel modules that drop packets or filter specific protocols.

7. Advantages

High extensibility – modules such as ebtables, arptables, nftables extend functionality.

Clear four‑table, five‑chain architecture.

Rich configurability for filtering, NAT, and packet mangling.

Efficient hook‑based processing pipeline.

Fine‑grained control over traffic.

8. Limitations

State table uses hash‑linked lists, which can become a performance bottleneck under heavy load.

Some targets (e.g., logging) require multiple rule traversals, reducing efficiency.

Lacks built‑in features such as SYN proxy.

Difficult to implement per‑IP connection limits or advanced attack detection without additional modules.