The ipchains program was written by Paul
Russell and it is included in most Linux distributions. There is an IPCHAINS-HowTo
available at this site, and the online documentation is extensive. This section
provides a general overview of the syntax and semantics of ipchains.
A D V E R T I S E M E N T
The ipchains program is very powerful, and surprisingly simple
once you get the basics down. The general format is:
ipchains <command> <chain> [<options>]
The complete syntax for ipchains is a little more complex, but
this is sufficient for our needs. The online help enumerates the complete syntax
including a useful command like:
that lists the currently loaded ipchains configuration.
Linux keeps a set of tables for ipchains that it uses when
routing packets to non-local destinations as well as routing incoming packets
destined for other computers. The ipchains program changes these
tables. Typically this is done when the system boots or as part of a script
associated with a particular network adapter, such as a modem adapter discussed
in the next article.
The three commands that we look at are -F, -P, and -A.
The -F command flushes a chain so it starts fresh. The -P command
sets up the default handling, while the -A command adds conditions or
rules to a chain.
As yet we have not defined what a chain is. With ipchains, three
chains are predefined: input, output, and forward. The following two commands
are normally used to set up a chain:
ipchains -F input
ipchains -P input REJECT
This causes any rules for the input chain to be discarded and sets up the
default condition so incoming packets are rejected. It is easier to discuss how
chains work using an example, so we'll assume that the following command is
ipchains -A input -i
eth0 -s 10.1.0.0/16 -d 0.0.0.0/0 -j ACCEPT
This is used to accept packets that meet the criteria specified in this
command. In particular, the -i option is followed by the interface name,
eth0. The -s and -d options are followed by source and destination
values. If a packet is received on eth0 and it is from the specified source and
going to the specified destination then it will be accepted by the router.
The source and destination values are IP address and mask bit pairs. In this
case, the source will match any IP address of the form 10.1.x.x. The destination
matches anything. Therefore, the rule accepts any packet with an address like
10.1.54.103 going anywhere. If a source or destination criteria is not specified
then 0.0.0.0/0 is used.
The output chain controls what packets can be sent. A packet may be accepted
by the input chain but rejected by the output chain. Likewise, the forward chain
controls what packets will be routed.
In general, the input chain controls incoming packet filtering. The packet is
either destined for the router or for another computer. In the latter case, the
packet is processed by the forward chain. Packets that make it through this
chain will then be processed by the output chain.
Additional -A, or add, commands can be used with the same chain name.
The rules can also be used to reject packets as well. For example:
ipchains -A input -i
eth0 -s 10.2.0.0/16 -d 0.0.0.0/0 -j REJECT
will reject packets with a source address like 10.2.x.x to any destination.
This is actually redundant for the current set of rules since anything that does
not match the first example rule for 10.1.x.x will be rejected. Including a rule
ipchains -A input -i
eth0 -s 10.2.0.0/16 -d 10.1.0.0/16 -j ACCEPT
will accept a packet if it is from a source address like 10.2.x.x and
destined for an IP address of the form 10.1.x.x. Note that rules are order
dependent in a first-come-first-used basis so this rule should be added before
the rule that rejects a more general condition.
We have used the -j option in a simplistic fashion to designate
whether a packet will be accepted or rejected. This option is actually called a
jump and can be used to link to user-defined chains, as well as using ACCEPT and
REJECT. User-defined chains are manipulated in the same fashion as the standard
chains. Only the names have been changed. User-defined chains are typically used
to manage more complicated routing configurations. The bottom line is that the
rules are followed until the packet is ACCEPTed or REJECTed.
Other argument values for the -j option when used with the forward
chain. These include DENY and MASQ. DENY is similar to REJECT in that it
terminates checking of the chain. MASQ indicates that a packet should be
masqueraded using the built-in NAT support. In this case, the accepted packet
will be modified so its IP address and port address are changed as described
with NAT earlier. The reverse translation for response packets is done
automatically. Selective use of MASQ allows a Linux router to forward some
packets NAT-fashion and others with no translation. This is handy for small
companies that have been assigned more than one IP address and use them for PCs
on the local network.
For simple router support when an ISP provides a single IP address, MASQ is
typically used. User-defined chains are usually unnecessary.
The ipchains program can also delete a rule using the -D
command. A rule must match exactly with a command's argument to be deleted.
The ipchains commands are normally included in a script that
runs when Linux boots or when a particular network adapter is started. The
following section addresses masquerading of special protocols.
One last item for ipchains is to enable forwarding using the
echo "1" >
This creates a single byte file containing the number "1". Note: Linux
distributions based on Red Hat Linux can normally specify this feature by adding
the following to /etc/sysconfig/network: