netfilter project logo
www | ftp | svn | lists | bugzilla | people | planet
About
Coreteam
Contributors
History
License
Thanks
PGP key
Projects
iptables
libnfnetlink
libnetfilter_log
libnetfilter_queue
libnetfilter_conntrack
conntrack-tools
ipset
nf-hipac
patch-o-matic-ng
ulogd
Downloads
SVN Repository
ftp Server
rsync Server
News
libnfnetlink release
conntrack-tools 0.9.6 release
libnetfilter_conntrack release
iptables-1.4.0
Michael Rash's book
libnetfilter_conntrack release
iptables-1.4.0rc1
security announces
libnetfilter_queue release
libnfnetlink release
conntrack-tools-0.9.5 release
libnetfilter_conntrack release
conntrack-tools-0.9.4 release
libnetfilter_conntrack release
iptables-1.3.8
conntrack-tools release
libnetfilter_conntrack release
Netfilter Workshop
new PGP key
Pablo Neira Ayuso joins core team
library releases
iptables-1.3.7
iptables-1.3.6
iptables-1.3.5
ulogd-1.24
ulogd-2.00beta1
library releases
iptables-1.3.4
Yasuyuki Kozakai joins core team
planet.netfilter.org
conntrack-0.81
iptables-1.3.3
Documentation
FAQ
HOWTOs
Events
Tutorials
Various other docs
Security Information
Mailing Lists
List Rules
netfilter-announce list
netfilter list
netfilter-devel list
netfilter-failover list
Contact
bugzilla
coreteam
webmaster
imprint / postal address
Supporting netfilter
Licensing
Events
Links
Mirrors
About website

The netfilter.org project

What is netfilter.org?

netfilter.org is home to the software of the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series. Software commonly associated with netfilter.org is iptables.

Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.

Main Features

  • stateless packet filtering (IPv4 and IPv6)
  • stateful packet filtering (IPv4 and IPv6)
  • all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 only)
  • flexible and extensible infrastructure
  • multiple layers of API's for 3rd party extensions
  • large number of plugins/modules kept in 'patch-o-matic' repository

What can I do with netfilter/iptables?

  • build internet firewalls based on stateless and stateful packet filtering
  • use NAT and masquerading for sharing internet access if you don't have enough public IP addresses
  • use NAT to implement transparent proxies
  • aid the tc and iproute2 systems used to build sophisticated QoS and policy routers
  • do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header
Copyright © 1999-2007 The netfilter webmaster . Harald Welte and Pablo Neira Ayuso