Linux IPTables

Name of the user space tool by which administrators create rules for the packet filtering and NAT modules.

Used to set up, maintain, and inspect the tables of IP packet filtering rules within the Linux kernel.

Has 5 default chains:

• INPUT, OUTPUT, FORWARD

• PREROUTING

• POSTROUTING

Has 3 default tables:

• Filter, nat, and mangle.

Basic decisions.

• ACCEPT, DROP, QUEUE, and RETURN.

Extended decisions.

• LOG, MARK, REJECT, TOS, SNAT, DNAT, MASQUERADE, REDIRECT, etc...

Multiple state machines.

• Conntrack (connection tracker).

In addition to the built-in chains, the user can create any number of user-defined chains within each table, which allows them to group rules logically.

Each chain contains a list of rules:

• When a packet is sent to a chain, it is compared against each rule in the chain in order.

The rule specifies what properties the packet must-have for the rule to match (such as the port number or IP address).

If the rule does not match, then processing continues with the next rule.

If, however, the rule does match the packet, then the rule’s target instructions are followed (and further processing of the chain is usually aborted).

Some packet properties can only be examined in certain chains:

• For example, the outgoing network interface is not valid in the INPUT chain.

Some targets can only be used in certain chains, and/or certain tables:

• For example, the SNAT target can only be used in the POSTROUTING chain of the NAT table.

The target of a rule can be the name of a user-defined chain or one of the built-in targets (ACCEPT, DROP, RETURN, DNAT, SNAT, and MASQUERADE).

You can think of a target in the same way as a subroutine.