Lost in Linux IP Acronym Land

[Sneppe Filip]

Ok, I'll have a go...
 
Brooks Carlson (bcarlson@thedswgroup.com) wrote:

> I have been learning as much as possible about Linux and networking.
> There is a huge amount of 
> information available, and I have done extensive searches of
> www.google.com, Linux HOWTOs, and
> several textbooks.  I do have a couple of questions which I can't seem
to
> find a direct answer to:
> 
>      What is the distinction between IPCHAINS, IPTables,
IP-Masquerade,
> IPFWADM and NETFILTER?
>      Am I correct in saying that the evolution of the Linux firewall
was:
>      IPFWADM  ---> IPCHAINS  ---> IPTables?  

Yes, ipfwadm came with 2.0 kernels, ipchains is basically for 2.2 kernels
and now we have iptables for 2.4 kernels. Note that the three tools you
mention are "userland tools" used to talk to the firewalling code in the
Linux kernel. As a result, one must ensure that the kernel you are using is
compiled with firewalling support (either built-in or via modules). 

The same approach is used for instance with Linux' advanced routing
functionality, traffic shaping, etc, which must all be supported by the
running kernel, but use userland commands from the iproute2 suite (ip,
rtmon, tc) to talk to the kernel from userland.

The 2.4 kernel sports a very well thought-out architecture to perform
stateful firewalling, various forms of NAT, packet mangling, etc. This
architecture is called "netfilter". In other words, one uses iptables to
talk to the netfilter architecture in the kernel. As far as I know, the
firewalling code in 2.0 and 2.2 kernels has never had a name for its
architecture...

>      Where does IP-Masquerade fit into this mix?  Under IPCHAINS I
have
> rules that I can MASQ 
>      packets leaving my internet network.  Is this the same thing, or
is
> IP-Masquerade a separate
>      program?

IP masquerading is a form of Source Network Address Translation where a
number of hosts access another network (e.g. the internet) via a gateway
that "impersonates" the hosts behind it. To the hosts on the other network,
all connections appear to be coming from the gateway. 

ipchains and iptables both support masquerading (not too sure about ipfwadm,
but I think it does), but iptables is just way more powerful as far as
NAT'ting is concerned.

> Sorry about the stupid question, I really have tried to find the
answer,
> but I want to understand this 
> clearly before moving on.  A strong foundation means a more secure
> network.  I have been up until
> now a Checkpoint Firewall-1 user on NT, but would like to switch all
to
> Linux eventually.
> 
We've all been there, so there is no need to feel stupid. I would suggest
you to forget about ipchains & ipfwadm and concentrate on iptables/netfilter
as it is obviously the more advanced firewalling architecture.

Other than the linux 2.4 packet filtering howto and the 2.4 NAT howto (both
available from http://netfilter.samba.org/), you may want to take a look at
these two URLs, which may explain things a little differently:

http://www.boingworld.com/workshops/linux/iptables-tutorial/
http://www.kalamazoolinux.org/presentations/20010417/

Good luck,
Filip