26.3.2.1 About netfilter Tables Used by iptables and ip6tables

The netfilter tables used by iptables and ip6tables include:

Filter

The default table, which is mainly used to drop or accept packets based on their content.

Mangle

This table is used to alter certain fields in a packet.

NAT

The Network Address Translation table is used to route packets that create new connections.

The kernel uses the rules stored in these tables to make decisions about network packet filtering. Each rule consists of one or more criteria and a single action. If a criterion in a rule matches the information in a network packet header, the kernel applies the action to the packet. Examples of actions include:

ACCEPT

Continue processing the packet.

DROP

End the packet’s life without notice.

REJECT

As DROP, and additionally notify the sending system that the packet was blocked.

Rules are stored in chains, where each chain is composed of a default policy plus zero or more rules. The kernel applies each rule in a chain to a packet until a match is found. If there is no matching rule, the kernel applies the chain’s default action (policy) to the packet.

Each netfilter table has several predefined chains. The filter table contains the following chains:

FORWARD

Packets that are not addressed to the local system pass through this chain.

INPUT

Inbound packets to the local system pass through this chain.

OUTPUT

Locally created packets pass through this chain.

The chains are permanent and you cannot delete them. However, you can create additional chains in the filter table.