10.9. Packet filter

The packet filter configuration is stored in the /etc/iptables.conf file. Although it is technically possible to edit this file manually, you are not recommended to do so as the first two comment lines of the file warns you, even if you choose manual configuration over MC-based graphical work.

#
# This file is generated automatically from iptables.conf.in and iptables.conf.var.
# Do not edit directly, regenerate it using iptables-gen.

To make packet filter configuration more error–resistant and easier, a frontend utility pack, the iptables-utils has been created where a couple of scripts help the creation and maintenance of packet filter rulesets. For more details on the iptables-utils, see chapter Packet Filtering.

Tip

Using iptables-utils is absolutely beneficial in the long term as the number of system closeouts, that is administrator lock-outs happens for example by activating an incorrect packet filter ruleset, can be dramatically decreased. It is favourable especially if you are far away from the firewall.

After installing the firewall a default ruleset is active. Since PNS acts as a default-deny firewall, the ruleset allows only connections from the MS host machine specified during installation to the firewall and the outgoing connections originating from the firewall itself. Besides the iptables.conf file which stores the currently active ruleset, the iptables.conf.in file is also present in the system (/etc/iptables.conf.in) so you can see the differences between the two. The / etc/iptables.conf.var file is also stored containing a single statement.

#define MSHOST <ip_address>

This entry allows you to refer to the MS host machine by the name MSHOST rather than by its IP address when editing the iptables.conf.in file. These tools and the intermediate configuration files greatly help the administration of packet filter rulesets. However, an in-depth knowledge of iptables is still needed for the successful management of the packet filter.

For more information, see Appendix A, Packet Filtering on PNS-specific configuration of IPTables, the installed manual pages of iptables (userland utility), and the documentation of Netfilter/IPTables project including a detailed tutorial and HOWTO documents accessible from Appendix C, Further readings.