The Linux kernel has the built-in ability to filter packets, allowing some of them to be received by or pass through the system while stopping others. The kernel's netfilter has three built-in tables or rules lists. They are as follows:
filter — The default table for handling network packets.
nat — Used to alter packets that create a new connection and used for Network Address Translation (NAT).
mangle — Used for specific types of packet alteration.
In addition to these built in tables, specialized tables can be created and stored in the /lib/modules/<kernel-version>/kernel/net/ipv4/netfilter/ directory (where <kernel-version> corresponds to the version kernel number).
Each table has a group of built-in chains which correspond to the actions performed on the packet by the netfilter.
The built-in chains for the filter table are as follows:
INPUT — Applies to network packets that are targeted for the host.
OUTPUT — Applies to locally-generated network packets.
FORWARD — Applies to network packets routed through the host.
The built-in chains for the nat table are as follows:
PREROUTING — Alters network packets when they arrive.
OUTPUT — Alters locally-generated network packets before they are sent out.
POSTROUTING — Alters network packets before they are sent out.
The built-in chains for the mangle table are as follows:
INPUT — Alters network packets targeted for the host.
OUTPUT — Alters locally-generated network packets before they are sent out.
FORWARD — Alters network packets routed through the host.
PREROUTING — Alters incoming network packets before they are routed.
POSTROUTING — Alters network packets before they are sent out.
Every network packet received by or sent from a Linux system is subject to at least one table. However, a packet may be subjected to multiple rules within each table before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address, or set of addresses, when using a particular protocol and network service.
Do not use fully qualified domain names in firewall rules that are saved in the /etc/sysconfig/iptables or /etc/sysconfig/ip6tables files. In the following example: iptables -A FORWARD -s example.com -i eth0 -j DROP example.com is invalid because the iptables service starts before any DNS related services at boot time, which results in an error. Only IP addresses are valid in creating firewall rules.
Regardless of their destination, when packets match a particular rule in one of the tables, a target or action is applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a QUEUE target, the packet is passed to user-space. If a rule specifies the optional REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.
Every chain has a default policy to ACCEPT, DROP, REJECT, or QUEUE. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy.
The iptables command configures these tables, as well as sets up new tables if necessary.