Skip to main content
Engineering LibreTexts

12-D.15: Netfilter / IP Forwarding

  • Page ID
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)


    The netfilter project is a community-driven collaborative FOSS project that provides packet filtering software for the Linux 2.4.x and later kernel series. The netfilter project is commonly associated with iptables.

    The netfilter project enables packet filtering, network address [and port] translation (NA[P]T), packet logging, userspace packet queueing and other packet mangling.

    The netfilter hooks are a framework inside the Linux kernel that allows kernel modules to register callback functions at different locations of the Linux network stack. The registered callback function is then called back for every packet that traverses the respective hook within the Linux network stack.

    iptables is a generic firewalling software that allows you to define rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

    nftables is the successor of iptables; it allows for much more flexible, scalable and performance packet classification.

    IP Forwarding

    IP forwarding algorithms take into account the size of each packet and the type of service specified in the header, as well as characteristics of the available links to other routers in the network, such as link capacity, utilization rate, and maximum datagram size that is supported on the link. In general, most routing software determines a route through a shortest path algorithm. However, other routing protocols may use other metrics for determining the best path. Based on the metrics required and present for each link, each path has an associated cost. The routing algorithm attempts to minimize the cost when choosing the next hop.

    To determine the current state of IP forwarding:

    pbmac@pbmac-server $ sudo sysctl net.ipv4.ip_forward
    net.ipv4.ip_forward = 1

    The number 1 indicates that IP forwarding is enabled. The above value is read from the Linux proc file system /proc/sys/net/ipv4/ip_forward file:

    pbmac@pbmac-server $ cat /proc/sys/net/ipv4/ip_forward

    If it is desired to disable IP forwarding use the command:

    pbmac@pbmac-server $ sysctl -w net.ipv4.ip_forward=0
    net.ipv4.ip_forward = 0

    The above command actually writes number 0 into the above mentioned file /proc/sys/net/ipv4/ip_forward.

    Be aware that the above method does not persist across reboots. To make permanent changes the /etc/sysctl.conf file needs to be changed. Uncomment the line:

    pbmac@pbmac-server $ net.ipv4.ip_forward=1

    Make sure it is set to 1, and then save the file. IP forwarding will continue even after a reboot.

    IP Set

    IP set is used to set up, maintain and inspect so called IP sets in the Linux kernel. Depending on the type of the set, an IP set may store IP(v4/v6) addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address and port number pairs, etc. See the set type definitions below.

    Iptables matches and targets referring to sets create references, which protect the given sets in the kernel. A set cannot be destroyed while there is a single reference pointing to it.

    Blocking a List of Network Addresses

    Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset."

    pbmac@pbmac-server $ ipset create myset hash:net

    Add any IP address that you'd like to block to the set.

    pbmac@pbmac-server $ ipset add myset
    pbmac@pbmac-server $ ipset add myset
    pbmac@pbmac-server $ ipset add myset
    pbmac@pbmac-server $ ipset add myset

    Finally, configure iptables to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it's a "src" packet and "DROP", or block, it.

    pbmac@pbmac-server $ iptables -I INPUT -m set --match-set myset src -j DROP

    Blocking a list of IP addresses

    Start by creating a new "set" of IP addresses. This creates a new "hash" set of "ip" addresses named "myset-ip."

    pbmac@pbmac-server $ ipset create myset-ip hash:ip

    Add any IP address that you'd like to block to the set.

    pbmac@pbmac-server $ ipset add myset-ip
    pbmac@pbmac-server $ ipset add myset-ip

    Finally, configure iptables to block any address in that set.

    pbmac@pbmac-server $ iptables -I INPUT -m set --match-set myset-ip src -j DROP

    Trusted (or Privileged) Ports

    On transport protocols such as TCP, UDP, and SCTP, ports 1-1023 are by default privileged ports. To bind to a privileged port, a process must be running with root permissions. Ports that are greater than 1023 are by default non-privileged. You can use the ipadm command to extend the range of privileged ports, or you can mark specific ports in the non-privileged range as privileged ports.

    Intrusion Detection System (IDS)

    An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

    IDS types range in scope from single computers to large networks. The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of an HIDS, while a system that analyzes incoming network traffic is an example of an NIDS. It is also possible to classify IDS by detection approach. The most well-known variants are signature-based detection (recognizing bad patterns, such as malware) and anomaly-based detection (detecting deviations from a model of "good" traffic, which often relies on machine learning). Another common variant is reputation-based detection (recognizing the potential threat according to the reputation scores). Some IDS products have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an intrusion prevention system. Intrusion detection systems can also serve specific purposes by augmenting them with custom tools, such as using a honeypot to attract and characterize malicious traffic.


    DenyHosts is a log-based intrusion-prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.

    DenyHosts checks the end of the authentication log for recent failed login attempts. It records information about their originating IP addresses and compares the number of invalid attempts to a user-specified threshold. If there have been too many invalid attempts it assumes a dictionary attack is occurring and prevents the IP address from making any further attempts by adding it to /etc/hosts.deny on the server. DenyHosts 2.0 and above support centralized synchronization, so that repeat offenders are blocked from many computers. The site gathers statistics from computers running the software.

    DenyHosts is restricted to connections using IPv4. It does not work with IPv6.

    DenyHosts may be run manually, as a daemon, or as a cron job.


    In a Debian or Ubuntu Linux based system, the default running mode is daemon mode and the configuration file is /etc/denyhosts.conf:

    pbmac@pbmac-server $ sudo vi /etc/denyhosts.conf

    Make sure SECURE_LOG set as follows:

    SECURE_LOG = /var/log/auth.log

    HOSTS_DENY set as follows:

    HOSTS_DENY = /etc/hosts.deny

    To block only sshd:

    BLOCK_SERVICE  = sshd

    Set deny threshold limit for login attempts:


    To block incoming connections using the Linux firewall IPTABLES:

    IPTABLES = /sbin/iptables

    Save and close the file.


    Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper.

    Fail2Ban operates by monitoring log files (e.g., /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. Includes support for both IPv4 and IPv6

    Adapted from:
    "The project" by About the netfilter/iptables project, The project is in the Public Domain, CC0
    "ipset" by Multiple Contributors, Arch Linux Wiki is licensed under CC BY-SA 3.0
    "Intrusion detection system" by Multiple Contributors, Wikipedia is licensed under CC BY-SA 4.0
    "DenyHosts" by Multiuple ContributorsWikipedia is licensed under CC BY-SA 3.0
    "Fail2ban" by Multiuple ContributorsWikipedia is licensed under CC BY-SA 3.0

    12-D.15: Netfilter / IP Forwarding is shared under a CC BY-SA 4.0 license and was authored, remixed, and/or curated by LibreTexts.

    • Was this article helpful?