netfilter project logo
www | ftp | git | lists | bugzilla | people | planet
About
Coreteam
Contributors
History
License
Thanks
PGP key
Projects
iptables
libnfnetlink
libnetfilter_acct
libnetfilter_log
libnetfilter_queue
libnetfilter_conntrack
conntrack-tools
libmnl
nfacct
ipset
nf-hipac
patch-o-matic-ng
ulogd
xtables-addons
Downloads
git Repository
ftp Server
rsync Server
News
security notice on conntrack helpers
iptables 1.4.13 released
nfacct 1.0.0 released
libnetfilter_acct 1.0.0 released
conntrack-tools 1.0.1 released
libnetfilter_conntrack 1.0.0 released
libnetfilter_log 1.0.1 released
libnetfilter_queue 1.0.1 released
libmnl 1.0.2 released
iptables 1.4.12.2 released
iptables 1.4.12.1 released
new PGP keys
iptables 1.4.12 released
iptables 1.4.11.1 released
iptables 1.4.11 released
conntrack-tools 1.0.0 released
libnetfilter_conntrack 0.9.1 released
libmnl 1.0.1 released
libmnl 1.0.0 released
iptables 1.4.10 released
libnetfilter_conntrack 0.9.0 released
iptables 1.4.9.1 released
iptables 1.4.9 released
ulogd 2.0.0beta4 released
conntrack-tools 0.9.15 released
libnetfilter_conntrack 0.0.102 released
libnetfilter_log 1.0.0 released
libnetfilter_queue 1.0.0 released
iptables 1.4.8 released
iptables 1.4.7 released
Documentation
FAQ
HOWTOs
Events
Tutorials
Various other docs
Security Information
Mailing Lists
List Rules
netfilter-announce list
netfilter list
netfilter-devel list
netfilter-failover list
Contact
bugzilla
coreteam
webmaster
imprint / postal address
Supporting netfilter
Licensing
Events
Links
Mirrors
About website

The netfilter.org project

What is netfilter.org?

netfilter.org is home to the software of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Software commonly associated with netfilter.org is iptables.

Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.

Main Features

  • stateless packet filtering (IPv4 and IPv6)
  • stateful packet filtering (IPv4 and IPv6)
  • all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 only)
  • flexible and extensible infrastructure
  • multiple layers of API's for 3rd party extensions
  • large number of plugins/modules kept in 'patch-o-matic' repository

What can I do with netfilter/iptables?

  • build internet firewalls based on stateless and stateful packet filtering
  • use NAT and masquerading for sharing internet access if you don't have enough public IP addresses
  • use NAT to implement transparent proxies
  • aid the tc and iproute2 systems used to build sophisticated QoS and policy routers
  • do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header
Copyright © 1999-2010 The Netfilter webmaster . Pablo Neira Ayuso