As you probably know, Linux* has a reputation as one of the top operating systems for network-related tasks. One of the things that makes Linux such a versatile networking solution is its new netfilter API, which has replaced the venerable ipchains system found in 2.2-era Linux kernels. Using netfilter, it's possible to create stateful firewalls, set up NAT (network address translation), mark packets for later QoS (quality of service) processing and yes, even more -- all under Linux.

One key new capability that netfilter offers is the ability to design stateful firewalls. Unlike regular firewalls, stateful firewalls can make sense of the thousands of network packets sent their way, identifying individual connections as well as the state that they are in. As we'll see in a bit, stateful firewalls are incredible tools for designing firewalls that are both flexible and secure.

But before we take a look at how to design a stateful firewall, let me point you towards the tools you'll need. First, you'll need a recent 2.4 kernel, like kernel version 2.4.18. If you're compiling your own kernel (recommended) then be sure to head over to the "Networking options" kernel configuration section and enable the "Network packet filtering (replaces ipchains)" option. Then, enter the "IP: Netfilter Configuration" sub-menu and enable every available netfilter option so that it is compiled directly into your kernel rather than as a module. This will ensure that netfilter's full capabilities are always available to you.

Next, you'll need to make sure that you have the "iptables" command installed. The "iptables" command is used to interact with the kernel network packet filtering rules. As root, type "iptables" and see if it's available; it probably will be. If not, your Linux distribution should have an iptables package available to install. Once iptables is up and running, make sure that you've rebooted with your netfilter-enabled kernel. Now we're ready to start learning about stateful firewalls.