About netfilter Tables Used by iptables and ip6tables

The netfilter tables used by iptables and ip6tables include:


The default table, which is mainly used to drop or accept packets based on their content.


This table is used to alter certain fields in a packet.


The Network Address Translation table is used to route packets that create new connections.

The kernel uses the rules stored in these tables to make decisions about network packet filtering. Each rule consists of one or more criteria and a single action. If a criterion in a rule matches the information in a network packet header, the kernel applies the action to the packet. Examples of actions include:


Continue processing the packet.


End the packet’s life without notice.


As DROP, and additionally notify the sending system that the packet was blocked.

Rules are stored in chains, where each chain is composed of a default policy plus zero or more rules. The kernel applies each rule in a chain to a packet until a match is found. If there is no matching rule, the kernel applies the chain’s default action (policy) to the packet.

Each netfilter table has several predefined chains. The filter table contains the following chains:


Packets that are not addressed to the local system pass through this chain.


Inbound packets to the local system pass through this chain.


Locally created packets pass through this chain.

The chains are permanent and you cannot delete them. However, you can create additional chains in the filter table.