A firewall
is a network security device that monitors and regulates network traffic based on predefined security rules. It forms a vital part of the network security system separating the trusted network from an untrusted network, such as the Internet. You may need a firewall not only to protect your servers and clients against attacks that may come from the Internet but also to prevent the unprivileged user access to your mission critical systems.
After giving the firewall definition it may be better to summarize the evolution of it shortly.
A packet filter
is a first-generation network firewall that inspects packets sent between computers. This firewall may filter the packets by source and destination IP addresses, protocol, source and destination ports on the network.
Second-generation
firewalls, also known as stateful
firewalls, not only filter packets but also keep track of particular communications between endpoints by remembering which port number the two IP addresses use for their connection at layer 4 (transport layer) of the OSI model. So that these firewalls allow examination of the overall exchange between the nodes.
Next generation
firewalls provide application/Layer 7 filtering
. The main advantage of application layer filtering is that it can detect certain applications and protocols. This feature allows next generation firewalls to detect if a permitted protocol is being exploited or to identify undesired applications or services using a non-standard port. Main features of the next generation firewalls are as follows.
Standard firewall capabilities like stateful inspection.
Web/content filtering
Application awareness and control to see and block malicious applications.
Integrated intrusion detection and prevention.
Threat intelligence sources.
Methods for dealing with changing cyber threats.
Today, hackers use advanced methods such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers and Malicious Mobile Code (MMC) to attack their targets. Therefore, packet filtering is not enough to prevent these modern cyber threats and using the next generation firewall is a must to be safe for every company and even home users in the computer world.
Open source firewall
is best known for protecting the network from a threat by filtering the inbound and outbound traffic and ensures network security.
Nowadays, open source firewalls which have application layer filtering capabilities are widely deployed in especially home, education, start-up and small scale industry networks.
In this article we will look at some of the best open-source firewalls that can improve your network security and cover the following topics deeply:
What is an open source firewall and why should you use it?
What are the best/top 5 open source firewalls?
What is OPNsense and its features? And installation of OPNsense.
What is IPFire and its features? And installation of Ipfire.
What is Untangle NG and its features?
What is pfSense® software and its features? And installation of pfSense.
What is Iptables and its features?
What is Open Source Firewall and Why It is Used?
The word open source
initially related to open source software (OSS) that is supposed to be publicly accessible. Anyone can examine, alter, and share the open source code.
When a person or organization uses an open source license on his/its original application, they agree to:
Make the whole source code of the software publicly available
Allow anyone to change, enhance, or re-engineer the code of a software
Allow derivative works to be created
Allow the application to be used for any purpose the user desires
Open source license provides developers to share their knowledge with each other. The entire open source community benefits from the collective innovation.
The Internet's essential functions are based on open source technologies. A large number of Internet applications are open source too. Large Internet corporations like Facebook
and Google
have even given the open source community access to some of their private ideas.
Many of the technologies we take for granted today would not have developed if open source licenses had not been available, or would have been locked away behind patent law. The open source movement is responsible for the rapid advancement of technology over the last few decades.
The main advantages of open source software are as follows:
Lower cost: Since open source licensing provides you code as free; what you pay for when you use an open source firewall is support, security hardening, and assistance with interoperability management.
Open collaboration: Because open source communities are active and very helpful you can find assistance, resources, and perspectives that extend beyond a single interest group or company.
Reliability: Proprietary code is dependent on a single author or company to keep it updated, patched, and operational. Because open source code is constantly updated by active open source communities, it outlives its original authors. Open standards and peer review ensure that open source code is thoroughly and frequently tested.
Flexibility: Because of its emphasis on modification, open source code can be used to address problems that are unique to your business or community. You are not obligated to use the code in any particular way, and you can rely on community assistance and peer review when implementing new solutions.
Review: Because the source code is freely available and the open source community is very active, developers actively check and improve on open source code. Consider it living code, as opposed to closed code that becomes stagnant.
Transparency: You can check and track changes in the open source code by yourself, rather than relying on vendor promises.
No vendor dependency: You can take your open source code with you wherever you go and use it for whatever you want, whenever you want.
Open source firewall
is a firewall which is developed and distributed under an open source license. It protects the network from a threat by filtering the inbound and outbound traffic and ensures network security.
Open source firewalls have all the benefits of open source software described above as well. There is no doubt that you can protect one of your most valuable assets with an open source firewall.
There is a wide range of open-source firewall software to choose from, depending on your level of expertise, the size of the infrastructure to be protected, ease of use, and even whether the firewall has a graphical interface.
In no particular order, this article highlights the best open-source firewalls available. You can easily download and deploy all of these firewalls on any hardware, virtual platform, or cloud. Moreover, many sell them with pre-configured appliances if you like their functions or support and do not want to build your own device.
The Best Open Source Firewalls to Protect Your Network
Open source operating systems such as Linux
, FreeBSD
, and OpenBSD
have a vast number of networking and security features built in. As a result, they are natural platforms for developing security products, and the majority of commercial firewalls are built on one of them.
There are numerous options available, ranging from tiny embedded systems for broadband wireless routers to massive enterprise firewalls with all the bells and whistles from free community support to paid commercial support.
If you are a home user or have a small business which does not have enough budget for expensive commercial firewalls, you may use the open source firewall on your network without any hesitation.
In this article, we will be discussing briefly the best open source software firewalls that can be used as both home network security and enterprise network security solutions. Some of the open source firewalls listed below have features and capabilities comparable to expensive commercial firewall solutions. So, many companies deploy them as their main network security solution at a fraction of the cost.
These are some of the best Open Source Firewall solutions available to protect your IT infrastructure:
OPNsense
IPFire
Untangle
pfSense
IPtables
1- OPNsense Firewall
OPNsense
is a FreeBSD-based open source firewall and a fork of pfSense
and m0n0wall
. It is compatible with 32bit or 64bit system architecture and available to download as ISO image and USB installer. It provides a GUI available in multiple languages like French, Italian, Russian, Chinese, Japanese, etc. OPNSense has many enterprise levels of security and firewall features like 2FA
, Netflow
, Proxy
, Webfilter
, QoS
, IPSec
, VPN
, etc. It also uses an inline intrusion prevention system with deep packet inspection to detect and prevent network intrusions. Another important feature is that It offers weekly security updates.
In this section, we will give information about:
What is OPNsense?
Features of the OPNsense firewall
OPNsense firewall installation
Zenarmor (Sensei)
plugin of the OPNsense firewall
What is the OPNsense Firewall?
Figure 1. OPNsense Web GUI with Zenarmor (Sensei) Plugin
OPNsense is an open source, easy-to-build and easy-to-use HardenedBSD based firewall and routing platform. The OPNsense project was founded by Deciso
, a company in the Netherlands, makes hardware and sells support packages for the OPNsense firewall. OPNsense began as a fork of pfSense® software and m0n0wall in 2014, with its first official release.in January of 2015. Meanwhile, when m0n0wall was decommissioned in February 2015, its creator, Manuel Kasper, assigned the developer community to OPNsense. And it continues to build a large community with thousands of supporters.
OPNsense provides weekly security updates in small increments to respond to new emerging threats in a timely manner. It also has a fixed release cycle of two major releases per year.
"Our mission is to make OPNsense the most widely used open source security platform. We give users, developers and business a friendly, stable and transparent environment.The project's name is derived from open and sense and stands for: "Open (source) makes sense." -Deciso
How to Install OPNsense Firewall?
The installation of OPNsense firewall is straightforward. You can easily install the OPNsense firewall either
on your Proxmox VE by following instructions on OPNsense Installation Tutorial or
on a PC from USB as explained in How to Install OPNsense from USB tutorial.
Features of OPNsense Firewall
OPNsense has many features intended for advanced users. Administrators can use the OPNSense firewall to configure network flow monitoring, full mesh VPN routing, WAN load balancing, HTTP load balancing, and much more.
OPNsense's feature set includes high-end features like forward caching proxy, traffic shaping, intrusion detection, and simple OpenVPN client setup.
The emphasis on security in OPNsense results in unique features such as the ability to use LibreSSL instead of OpenSSL (selectable in the GUI) and a custom version based on HardenedBSD.
OPNsense's reliable and robust update mechanism enables it to provide critical security updates in a timely manner.
It also includes reporting and analysis capabilities. You can monitor network traffic and optimize network performance.
One of the best aspects of OPNsense is that it exposes all of its functionalities through a web-based interface that is easy to use and available in multiple languages.
OPNsense implements a stateful firewall and allows administrators to group firewall rules by category, which is useful for more complex network configurations.
OPNsense has an Inline Intrusion Prevention System which is a powerful form of deep packet inspection. Rather than simply blocking an IP address or port, OPNsense can inspect individual data packets and, if necessary, block them before they reach the sender.
Core features of the OPNsense firewall are summarized in the following list.
Stateful inspection firewall
Intrusion Detection and Prevention
Traffic Shaper
Forward Caching Proxy (transparent) with Blacklist support
Virtual Private Network (site to site & road warrior, OpenVPN & legacy PPTP, IPsec support)
High Availability & Hardware Failover ( with configuration synchronization & synchronized state tables)
Two-factor Authentication throughout the system
Captive portal
Build-in reporting and monitoring tools including RRD Graphs
Netflow Exporter
Network Flow Monitoring
Support for plugins
DHCP Server and Relay
DNS Server & DNS Forwarder
Dynamic DNS
Encrypted configuration backup to Google Drive
Granular control over state table
802.1Q VLAN support
Zenarmor Plugin for OPNsense Firewall
OPNsense has a rich plugin collection that provides network security professionals the opportunity to extend their OPNsense nodes with additional functionality. All plugins can be easily installed on the firewall. Some of these are maintained and supported by the OPNsense team, while others are maintained and supported by the community or directly by businesses.
Plugins can do the following:
Allow custom start, stop and early scripts
Persistent /boot/loader.conf modifications
Additional themes for the web GUI
Create new authentication methods to be used within other subsystems
Provide other types of devices and interfaces to the firewall
Modify the access control lists, menu and themes
Add additional server software and their respective GUI pages
Pull in additional packages that will update automatically
Enhance the backend services with additional work tasks
The OPNsense Web GUI shows all plugins for production use in the firmware page and the pkg tool shows all packages (all Plugins are named os-pluginname).
One of the most important and useful OPNsense plugins is Zenarmor
which provides application control and web filtering to protect the network infrastructure. We will cover the Zenarmor plugin features in this article shortly. Please refer to official documentation for more information.
What is Zenarmor?
Zenarmor is an all-software instant firewall that can be deployed virtually anywhere. For open-source firewalls, Zenarmor provides cutting-edge, next-generation firewall features that are not currently available in products like OPNsense. If you want to use an open-source firewall and need features like Application Control, Network Analytics, and TLS Inspection, Zenarmor provides these features and more.
Since Zenarmor has an appliance-free, all-in-one, all-software, lightweight, and simple architecture, it can be instantly deployed onto any platform which has network access. You can install the Zenarmor on a virtual machine or bare-metal, on your promise or any cloud platform.
Zenarmor is fully integrated into the OPNsense Web User Interface and basically upgrades OPNsense into a Next Generation Firewall.
How to Install Zenarmor?
You can easily install the Zenarmor plugin on your OPNsense firewall web UI by following these steps.
Login your OPNsense web GUI se an account with administrative access such as
root
.Navigate to
System
->Firmware
->Plugins
.Click on the
+
icon next toos-sunnyvalley
to install the plugin. Once the vendor plugin is installed, you should see the Zenarmor plugin available in the list of plugins asos-sensei
.Click the
+
icon next toos-sensei
to install the plugin.After installing
Zenarmor
, you should see theZenarmor
menu in the left sidebar of the OPNsense web interface.You will need to complete the
Initial Configuration Wizard
for Zenarmor to be fully operational. After you complete the initial configuration of Zenarmor on OPNsense, you can define Zenarmor policies to protect your network.
Although the preferred method of Zenarmor installation is the web interface, you can also install the plugin using the command line interface via SSH or direct system access.
Features of Zenarmor
Zenarmor is based on a state of the art security technology developed by Sunny Valley Networks. It is a very lightweight yet powerful packet inspection core that can provide a wide variety of enterprise-grade network security functions. Features of Zenarmor are given below.
Application Control
Cloud Application Control (Web 2.0 Controls)
Web Filtering and Security
Advanced Network Analytics
Real-time Cloud Threat Intelligence based blocking
Cloud Centralized management & reporting
Encrypted Threats Prevention (All-ports full TLS Inspection (for every TCP port, not just HTTPS) *Coming soon)
User-based Filtering and Reporting
Active Directory Integration
Policy based filtering and QoS
Application / Web category based Traffic Shaping and Prioritization
For detailed information about the Zenarmor features, you may view the official product documentation.
2- IPFire
Figure 2. IPFire Web GUI
IPFire
is an easy-to-use, open-source stateful firewall that is built on top of Netfilter and trusted by thousands of companies worldwide. It is designed with a lot of modular considerations and is highly flexible. It has great customization flexibility. You can use it not only as a firewall, but also as a proxy server, or VPN gateway depending on your configuration. Another important feature it has is built-in IDS to detect attacks. Moreover, the Guardian
plugin provides you to implement automatic prevention.
In this article, we will cover the following topics briefly.
What is IPFire?
IPFire features
IPFire installation
What is IPFire?
IPFire
is a fortified, flexible, cutting-edge Open Source firewall based on Linux. Its ease of use, high performance in all scenarios, and extensibility make it suitable for all users.
IPFire began as a fork of IPCop
and has been completely rewritten on the basis of Linux From Scratch since version 2. It allows the installation of add-ons for the addition of server services, which can be extended into a SOHO server.
You can deploy IPFire on a wide variety of hardware, including ARM devices such as the Raspberry Pi
.
How to Install IPFire?
In less than half an hour, you may simply install your IPFire firewall using a guided console conversation.To learn how to install the IPFire firewall, you may refer to the IPFire Installation Tutorial written by Sunny Valley Networks.
Features of IPFire
In this subsection, we will first discuss the most valuable features of IPFire deeply and then list all features including the additional services.
One of the most significant advantages of the IPFire is its modular structure, which allows you to run it with exactly what you need and nothing more. The package manager makes it simple to configure all features and update them. IPFire has been designed to be adaptable to any existing security architecture.
The primary goal of IPFire is security. Its simple-to-configure firewall engine and Intrusion Detection System keep hackers out of your network. To manage risks inside the network and have a custom configuration for the specific needs of each segment of the network, the network is split into various zones with different security policies in the default configuration. Each segment of the IPFire configuration is color-coded as follows.
Green: Trusted zone. This is where all regular client computers reside. Clients can access all other network segments without restriction.
Red: Untrusted Zone/Internet. Unless specifically configured by the administrator, no Internet access is permitted to pass through the firewall.
Blue: The wireless part of the local network. The clients on this network segment must be explicitly allowed before they may access the network
Orange: the demilitarized zone (DMZ). Any publicly accessible servers are isolated from the rest of the network to limit the scope of a security breach.
Regular updates keep IPFire secure against security flaws and new attack vectors.
IPFire employs a Stateful Packet Inspection (SPI) firewall based on Netfilter, the Linux packet filtering framework. It filters packets quickly and achieves throughputs of several tens of Gigabits per second.
IPFire can be enhanced to include a virtual private network (VPN) gateway, which uses an encrypted link to connect remote people and places to the local network.
The Intrusion Detection System (IDS) of IPFire analyzes network traffic to detect exploits, leaking data, and other suspicious activity. When an attacker is detected, alerts are raised and the attacker is immediately blocked.
IPFire can be run as a virtual machine on the following hypervisors:
KVM/Qemu
Xen (paravirtualized and fully virtualized mode)
VMWare (Workstation, vSphere, ESXi)
Virtualbox
IPFire has a web-based management interface for changing settings. You can configure your network to suit your specific requirements, whether you need basic firewall protection or advanced logging and graphical reports.
The distro can also be fleshed out with a useful set of add-ons, such as Guardian, to provide it with additional functionality.
Main features of IPFire are listed below.
Intrusion Detection system
Wake-on-LAN
Web Proxy
IDS
VPN termination
QoS
Proxy and Relay for various protocols
URL filtering/Content filtering
DNS forwarding
Full-fledged web proxy
Multi-deployment facilitation such as a VPN gateway, a proxy server, or a firewall.
You can enhance IPFire to include supplemental network services such as:
Routing the traffic to the Tor network or running a relay (TOR)
Monitoring services like Nagios/NRPE
Samba file server
CUPS print server
Mail server system including Postfix, SpamAssassin, ClamAV, Amavis
WIFI Access-Point (HostAPD)
Streaming server
vsftpd ftp server
Asterisk
TeamSpeak
Video Disk Recorder (VDR)
3- Untangle NG Firewall
Untangle NG
Firewall is a Debian-based
network gateway that includes pluggable modules for network security applications such as intrusion prevention, web filtering, spam filtering, anti-virus, anti-spyware, VPN, firewall, and others.
Untangle NG
Firewall removes the complication from network security and saves administrators time. This firewall is designed to strike a balance between performance and protection, policy and productivity. It provides you a simple deployment and administration, with a user-friendly web-based GUI.
Figure 3. Untangle NG Dashboard and Appliances
It is an excellent fit for a wide range of organizations looking for a powerful, cost-effective network security solution capable of handling any IT challenge from small, remote offices to diverse school campuses and large, distributed organizations. The NG Firewall has various software modules that can be enabled or disabled based on individual needs. Untangle NG's basic network functions are supplemented with free and paid applications that add additional functions and capabilities, all managed via a web-based user interface.
Basically, you can easily install this firewall system on any hardware or virtual machine, or buy a device with NG Firewall preinstalled.
Untangle NG Firewall is available in the following deployment options:
Hardware Appliance: An Untangle network appliance with NG Firewall preinstalled.
Software Appliance: An installable version of NG Firewall for most x86 based devices.
Virtual Appliance: A virtual appliance optimized for VMware deployments in private cloud infrastructure.
Cloud Appliance: A virtual appliance available for Amazon Web Services or Microsoft Azure.
In this article, we will cover the following topics briefly.
What is Untangle NG Firewall?
Untangle NG features
What is Untangle NG Firewall?
Untangle NG is next-generation firewall/UTM software that combines everything your network requires to stay healthy on a single box: URL and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more.
Untangle NG consists of a growing ecosystem of technology applications, or 'apps.' This approach makes Untangle NG Firewall extremely easy to use by greatly simplifying the UI and tailoring it to each deployment.
Features of Untangle NG Firewall
In this subsection, we will first discuss the most valuable features of Untangle NG briefly and then list all features.
Simplicity: Network management and ensuring that everything is adequately protected can be a time-consuming and expensive task. Untangle NG Firewall simplifies network security by providing a single, modular software platform that adapts to your changing requirements.Untangle NG Firewall has a browser-based, user-friendly, and responsive interface that allows you to quickly gain visibility into network traffic. It provides a comprehensive, enterprise-grade network security platform for organizations of any size, from content filtering to advanced threat protection, VPN connectivity to application-based shaping for bandwidth optimization.
Comprehensive Security: The NG Firewall offers comprehensive security at the gateway by proactively preventing malware, hacking attempts, phishing schemes, and other threats from reaching clients.
Dashboard: On the dashboard, you can see the network activity at a glance, ensuring compliance with full event logs, and receive notifications of network anomalies or unusual user behavior via alert rules.
Secure Connectivity: It also helps you to maintain user and data security regardless of location or level of access.
Web Caching: Web Cache is used to improve browsing performance by caching and serving static elements locally. As a result, bandwidth is reduced and page loading times are shortened. Web Cache improves browser responsiveness, which leads to higher user satisfaction.
Bandwidth Control: Bandwidth Control aids in the tracking and monitoring of bandwidth usage. It aids in the identification of problematic apps, websites, and users. Bandwidth control assists the user in managing bandwidth allocation.
Reports: Untangle Reports is one of Untangle's best and most recent features. You can add your own reports. Reports provide users with statistical data and network activity. It generates reports on Applications, Web Usage, Web Filters, and other topics. You can send personalized reports via email or fax.
All of the Untangle NGs features are listed below.
WireGuard VPN
Threat Prevention
Web Filter
SSL Inspector
Live Support
Policy Manager
Branding Manager
WAN Failover
WAN Balancer
IPsec VPN
Application Control
Web Cache
Bandwidth Control
Virus Blocker
Spam Blocker
Directory Connector
Web Monitor
Application Control Lite
Virus Blocker Lite
Phish Blocker
Intrusion Prevention
Firewall
OpenVPN
Reports
Spam Blocker Lite
Captive Portal
Ad Blocker
Tunnel VPN
4- pfSense
pfSense® software is a firewall/router computer software distribution based on FreeBSD. pfSense Community Edition (CE) is a partially open-source version, whereas pfSense Plus is now closed source. pfSense® software is one of the leading network firewalls with commercial-level features.
Figure 4. pfSense® software Appliance
Chris Buechler and Scott Ullrich founded the pfSense® software project in 2004 as a fork of the m0n0wall project, and the first release was in 2006. The name comes from the fact that the software employs the PF packet-filtering tool.
You can install it on a physical computer or a virtual machine to make a dedicated firewall/router for your network. And you can configure the firewall via a web-based interface without needing any knowledge of the underlying FreeBSD system to manage.
To deploy and use the pfSense® software software, no prior knowledge of FreeBSD is required.
In addition to being a powerful, flexible firewalling and routing platform pfSense® software includes a long list of related features. To begin with, you can use pfSense® software to deploy an intrusion prevention system as well as enable VPN access.
It has successfully replaced every major commercial firewall on the market, including Check Point, Cisco PIX, Cisco ASA, Juniper, Sonicwall, Netgear, Watchguard, Astaro, and others, in numerous installations around the world.
In this article, we will cover the following topics.
What is pfSense?
pfSense® software installation
pfSense® software features
What is pfSense?
The pfSense® software Project is a free open source customized distribution of FreeBSD designed for use as a firewall and router that is entirely managed through an intuitive web interface.
pfSense® software is owned by Rubicon Communications, LLC (Netgate) and distributed under an open source license.
It has proven to be effective in countless installations ranging from single computer protection in small home networks to thousands of network devices in large corporations, universities, and other organizations.
pfSense® software is available as a hardware device, virtual appliance, and downloadable binary (community edition).
How to Install pfSense?
pfSense® software can be installed and configured on either virtual or physical servers. For more information about the installation of the pfSense® software firewall, please refer to pfSense® software Guide.
Features of pfSense
The pfSense® software comes with a web interface for configuring all of the included components. There is no requirement for any UNIX knowledge, no use of the command line, and no need to manually edit any rule sets. Users who are familiar with commercial firewalls adapt quickly to the web interface.
Because of its long history, pfSense® software may have the most extensive documentation and one of the largest user communities, with tutorials and videos posted on its official support channels as well as elsewhere on the web. The distro's commercial hosts also provide paid training courses to help you get the most out of your pfSense® software deployment.
The main advantage of pfSense® software is the ongoing support. The development team provides regular updates and support for this software. The pfSense® software package system allows for additional expansion without adding bloat or potential security vulnerabilities.
On a high-level, some of the worth mentioning pfSense® software features are:
Firewall: IP/port filtering, limiting connections, layer two capable, scrubbing
State table: by default all rules are stateful, multiple configurations available for state handling,
Multi-WAN load balancing: use more than one internet connection.
VPN (a virtual private network): support IPsec and OpenVPN
Server load balancing: inbuilt LB to distribute the load between multiple backend servers
NAT (Network address translation): port forwarding, reflection
HA (High-availability): failover to secondary if primary fail
Reporting: Keep historical resources utilization information
Monitoring: real-time monitoring
Captive portal
Dynamic DNS: multiple DNS clients are included
DHCP & Relay ready
Disable filtering: You can completely disable the firewall filter if you want to turn your pfSense® software into a pure router.
User authentication
Content filtering and proxy filtering capabilities
GeoIP blocking
Anti-spoofing
You also have an option to install the following packages with one click.
Services: iperf, widentd, syslog-ng, bind, acme, imspector, git, dns-server
Networking: netio, nut, Avahi
Routing: frr, olsrd, routed, OpenBGPD
Security: a stunner, snort, tinc, nmap, arpwatch
Monitoring: iftop, ntopng, softflowd, urlsnarf, darkstat, mailreport
tip
We strongly recommend you to install Zenarmor on your pfSense® software firewall so that you have an additional layer of security for your network infrastructure. By installing the Zenarmor on your pfSense® software node you can get benefits of using web filtering and application controls capabilities. For more information about how to install and configure Zenarmor on your pfSense® software firewall, please refer to our official documentation.
5- iptables
Iptables
is a well-known utility and best open source firewall for Linux applications that gives a system administrator the ability to configure and analyze network statistics. It is a terminal based, effective and customizable firewall software that is widely used among the experienced Linux administrators to protect their servers.
Figure 5. Iptables list output
Iptables replaced ipchains
, and nftables
is iptables' successor. Nftables allows for much more flexible, scalable and performance packet classification.
When an iptables-enabled system receives a packet, it searches its rule list for a match. If it cannot find one, it falls back on the default action.
In this article, we will cover the following topics.
What is iptables?
iptables installation
iptables features
What is Iptables?
Iptables is a user-space utility tool that allows an administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as various Netfilter
modules. Netfilter is the firewall framework on Linux, and iptables is the utility that manages and controls Netfilter. Iptables can be used to filter incoming and outgoing network packets as well as route them. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.
Currently, different kernel modules and programs are used for different protocols:
iptables for IPv4
ip6tables for IPv6
arptables for ARP
ebtables for Ethernet frames.
How to Install Iptables?
Iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package. Before installing the iptables, You must also uninstall any other firewall management utilities like UFW on your firewall.
On a Debian
based or Ubuntu
server you can run the following commands to install iptables.
sudo apt-get update
sudo apt-get install iptables
The default configuration file for iptables can be found in /etc/sysconfig/iptables
. You can modify it with the text editor of your choice.
On a Red Hat Enterprise Linux (RHEL) 7/8 and CentOS 7/8 you can run the following commands to install iptables.
- Run the following commands to stop and mask the firewalld service that you don't want to use:
systemctl stop firewalld
systemctl mask --now firewalld
- Install the iptables-services package (if it is not already installed) by running the following command:
yum install iptables-services -y
- Enable the service to start at boot time by running the following commands:
systemctl enable iptables
systemctl enable ip6tables
Features of Iptables
iptables consists of the following 3 main components.
chains: There are 5 chains in iptables and each is responsible for a specific task:
Input
: Used to manage incoming packets/connectionsOutput
: Outgoing packet after it has been created/processed.Forward
: Forwards incoming packets from their source to destination (routing).Prerouting
: After the packet enters the network interface.Postrouting
: Before the packet leaves the network interface after the routing decision has been made.
tables: A table is a collection of chains that serves a particular function. There are five types of tables in iptables:
Filter
is responsible for filtering and restricting the packets to/from our computer.Nat
is responsible for Network Address Translation.Mangle
Table is used to modify packet headersRaw
deals with the raw packet as the name suggests. Mainly this is for tracking the connection state.Security
is responsible for securing your computer after the filter table. Which consists ofSELinux
.
targets: Targets specify where a packet should go. This is decided using either iptables' own targets: ACCEPT, DROP, REJECT, or it's extensions' target which are 39 at the moment and the most popular ones are DNAT, LOG, MASQUERADE, REJECT, SNAT, TRACE and TTL.
ACCEPT
: Stop processing and let the packet flow.REJECT
: Drop the packet by giving feedback.DROP
: Stops processing at the current chain and drops the packet.LOG
: Similar to ACCEPT, however, it is logged to the /var/log/messages.
Iptables allows the system administrator to define tables containing chains of rules for the treatment of packets. Packets are processed by sequentially traversing the rules in chains. Every network packet arriving at or leaving from the computer traverses at least one chain. Incoming packets are analyzed at each chain and are tested against a set of rules. If a rule is matched, the target is set.
The features and attributes of the iptables firewall are as follows:
It has packet filter rulesets that allow for content listing
It employs a packet header inspection approach, which makes the firewall extremely fast.
Editable packet filter rulesets enable the administrator to add, modify, or remove a firewall configuration rule
listing/zeroing per-rule counters of the packet filter ruleset
It can be used for data file backup and restoration in conjunction with the firewall's functionality.
tip
Iptables can only provide you with a L4 firewall/second generation firewall features to protect your networks. Since iptables is not a next generation firewall and does not have application layer/L7 filtering capabilities, we strongly recommend you to use Zenarmor
on your iptables firewall. For more information about how to install Zenarmor
on your Linux firewall, please refer to Zenarmor official documentation.