Netfilter

In computer networking, netfilter, along with its companion iptables, are collectively a software extension to the Linux operating system that implements a stateful firewall framework. It also enables other networking features such as network address translation (NAT).

Specifically, the netfilter software component is a set of custom hooks in the networking subsystem inside the Linux kernel. Netfilter is distributed as a set of patches to the kernel source code along with a patch tool called patch-o-matic. The iptables software component uses the hooks provided by netfilter to implement the firewall framework. It includes a set of kernel modules along with some user space administrative commands.

The netfilter/iptables project was started in 1999 with a small group of developers calling themselves the coreteam. The software they produced (called netfilter from here on) was designed for use with the Linux 2.4 kernel and made available to the public in 2000 under the GNU General Public License.

Prior to netfilter, the predominant software packages for creating Linux firewalls were ipchains in Linux 2.2 and ipfw in Linux 2.0. Netfilter kept many of the basic ideas first introduced with ipchains, including the use of tables, chains, and packet matching rules. Netfilter unified many smaller networking extensions, most importantly NAT and proxy capabilities, as well as adding connection tracking and IPv6 support.

Netfilter is included in all major Linux distributions using the 2.4 or 2.6 kernel.

• netfilter/iptables project homepage