Linux IP Firewalling Chains

It's similar in design (being based on the same code) but there are many improvements and new features. You can read more about it in the HOWTO (or you can get the gzipped text (22k) or bzip2'd text (19k) formats).

Join the mailing list by sending a message containing the word "subscribe" to ipchains-request at wantree.com.au. To mail to the list use `ipchains' instead of `ipchains-request'.

The latest release is version 1.3.2, containing several minor bugfixes over 1.3.1.

Here's the shopping list:

1. bzip2 source if you want to save bandwidth (thanks). Since kernel sources are now available in .bz2 format, getting this now will help you with them, too.
2. The kernel patch for 2.1.99 (should be OK for most 2.1.x) in bzip2 (17k) or gzip (18k).
3. The kernel patch for 2.0.33 (should be OK for most 2.0.3x) hasn't been updated yet, so keep using the 1.3.1 patch (no significant difference): bzip2 (17k) or gzip (18k).
4. The userspace tools. Sorry, I upgraded to the 2.0 beta of Debian, which is glibc-based, so the binaries are glibc (ie. Debian 2.0 or Redhat 5). However, the source should compile fine under libc5. Here is the source in bzip2 (82k) and gzip (104k), and here are the pre-compiled glibc binaries in bzip2 (23k) and gzip (23k) formats.

IPChains in a Nutshell

Here are the pros and cons of the new implementation in a nutshell:

• PRO: More flexible packet manipulations possible; eg, all TCP packets can be handled by a separate chain.
• PRO: Accounting integrated into normal chains.
• PRO: SMP-safe[4].
• PRO: Byte/packet counters on chain policies.
• PRO: Can specify class of interfaces, eg. all ppp.
• PRO: Filtering on ICMP code as well as type.
• PRO: Handing of packets to userspace daemon for more sophisticated accounting, firewalling or manipulation (kernel 2.1+ only).
• PRO: More complex accounting possible; eg. a breakdown by protocol of all packets blocked.[1]
• PRO: Simple policy changes possible atomically.
• PRO: Fragments can be explicitly blocked, denied, etc.
• PRO: Functionality is a superset of old IP firewalling code.
• PRO: Logs suspicious packets[2].
• PRO: 64-bit packet and byte counters[3].
• PRO: Easy to retrofit to 2.0.x kernels if desired.
• PRO: Can handle protocols other than ICMP/TCP/UDP.
• PRO: Has inverse rules (eg. you can specify packets NOT coming in ppp0).
• CON: Code should be considered beta-level.

History of Changes

1.3.2 release

• Reduced in-kernel size (now only 3.5k bigger than old ip_fw.c code).
• ipchains now understands arbitrary masqueraded protocols. [Thanks to Marco Kremer (mabi)]

• HOWTO example fixed. [Thanks to Jim Kunzman]
• ipchains version string now fixed. [Thanks to Jim Kunzman]
• ipchains now gives error on specifying a too-long chain name. [Thanks to Gerard Gerritsen]
• ipchains -S works again, with or without -M. [Thanks to Serge Sivkov]

1.3.1 release

• Format of policy-change kernel interface changed, to allow same ipchains binary under both 2.0 and 2.1 kernels, and simplify glibc interface.
• Userspace tools now compile under glibc.
• Binary release now glibc.
• Binary release no longer includes `ipfw.4' man page.
• Updated HOWTO.

• Fixed typo which cause mark not to be initialised to 0.
  [Thanks to Alexey Kuznetsov].
• Removed extraneous debug messages for 2.0 kernels.
  [Thanks to Ricardo Kustner].
• Fixed race condition correctly.
• Now compiles under SMP.

1.3.0 release

• `ipchains -X' now deletes all user-defined chains.
  [Thanks to feedback from John D. Hardin]
• Can now specify what packets to be copied to NETLINK device (2.1.x kernels only).
• A simple library to make using the netlink device easier.
• Understands ICMP masquerading.
• Policies have packet and byte counters, for completeness.
• Should be SMP safe now (testers wanted; my laptop is not SMP).
• Introduced libfw.

• Many documentation and HOWTO fixes and updates.
  [Thanks to Dr. Liviu Daia and Matt Kemner.]
• ipchains-save bugfix with destination ports.
  [Thanks to Kevin Littlejohn.]
• Masquerading listing fixed.
  [Thanks to Franck Sicard.]
• Bogus `loop detected' message due to race condition now fixed (also fixes possibility of counter inaccuracies).
  [Thanks to Helmut Adams]
• Masquerading modules now fixed for 2.0.x kernels.
  [Thanks to Marko Injac, and feedback from R. Garth Wood].
• Verbose packet info now logged at KERN_INFO level.
  [Thanks to Dr. Liviu Daia.]

1.2.2 release

• HOWTO updates.
• Kernel policies output changed from numbers to names, for consistency across kernel versions.
• Introduced 2.0 kernel series support.

• ipchains-save and ipchains-restore fixed to handle userdefined chains better.
• Fixed TOS handling in ipfwadm-wrapper script.

1.2.1 release

• Fixed interface (`-i') parsing in ipchains.

1.2 release

• Wildcard interface support.

1.1.1 release

• ICMP codes (as well as types) supported.
• icmp names supported.
• ipfwadm-wrapper released.

• ipchains-save and ipchains-restore fixed.
• -b flag when used with address masks fixed.

1.1 release

• HOWTO introduced.
• ipchains-save and ipchains-restore introduced.
• Inverse rule support.
• -k (TCP ACK) option removed.
• -b (BIDIR) option removed from kernel: handled in userspace.
• Multiple port support removed.
• Test suite removed from release.

• Handling of listing > 8 rules fixed.

1.0.2 release

• Interface address support removed.
• Added skbuff marking support.

1.0.1 release

• Generic protocol support added.
• Tighter TOS checking.
• TOS can now be specified by name.
• New target: RETURN.

• Port range handling fixed.
• Append and delete entry heisenbug fixed.

Enjoy!