Netfilter.org is the 4th generation firewall in Linux. Of course, Ipchains is the 3rd generation, which will be out of date now days.
This firewall contents 2 parts, Netfilter and Iptables.
Netfilter located in the kernel space, and it's a part of kernel. Here is the main feature from it's official website
- stateless packet filtering (IPv4 and IPv6)
- stateful packet filtering (IPv4 and IPv6)
- all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 only)
- flexible and extensible infrastructure
- multiple layers of API's for 3rd party extensions
- large number of plugins/modules kept in 'patch-o-matic' repository
And also some description of Netfilter.org copied from the official site:
netfilter.org is home to the software of the packet filtering framework inside the Linux2.4.x and 2.6.x kernel series. Software commonly associated with netfilter.org is iptables.
Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).
netfilter, ip_tables, connection tracking (ip_conntrack, nf_conntrack) and the NAT subsystem together build the major parts of the framework.
There is a "Pakage Filting table
" inside the kernel spaces and operated by Netfilter, and there are 3 main "Chains
" default in the this table, they are "INPUT chain", "OUTPUT chain" and "FORWARD chain", and there are also other chains such as "PREROUTING chain" and "POSTROUTING chain", we can also add new chains of ourselves.
Iptables is a user lay utility which used to operates and manage the "Package Filtting table".
Note: The user defined Filtting rule will also be loaded into the kernel space.
For more detailed info, refer to the man page or wikipedia.