iptables
by Rajeev Badgujar
1. filter table
1.1. packet filtering
1.2. 3 bult in chains
1.2.1. forward chain
1.2.1.1. packets of networks protected by firewall
1.2.2. input chain
1.2.2.1. packets destined for firewall
1.2.3. output chain
1.2.3.1. packets originating from firewall
2. Network Address Translation (NAT) table
2.1. pre-routing chain
2.1.1. destination address needs to be changed
2.1.2. DNAT
2.2. post routing chain
2.2.1. source address needs to be changed
2.2.2. SNAT
2.3. output chain
2.3.1. packets originating from firewall
2.4. NATs network packets
3. nf_conntrack
3.1. caches connection status and info
3.2. /proc/net/nf_conntrack
3.3. ipv4 2 tcp 6 431581 ESTABLISHED src=7.8.9.20 dst=7.8.9.10 sport=53867 dport=80 packets=22 bytes=13861 src=192.168.1.2 dst=7.8.9.20 sport=8080 dport=53867 packets=14 bytes=3535 [ASSURED] mark=0 secmark=0 use=2
4. Queue
4.1. ip_queue
4.2. nfnetlink_queue
4.3. nfqueue
5. NATs packets
6. kernel module
7. mangle table
7.1. alteration of service bits in TCP header
7.2. kernel 2.4.17
7.2.1. prerouting
7.2.1.1. alter packets when they come
7.2.2. output
7.2.2.1. alter locally generated packets
7.3. kernel 2.4.18
7.3.1. postrouting
7.3.1.1. alter packets before they go out
7.3.2. input
7.3.2.1. alter packers coming in
7.3.3. forward
7.3.3.1. alter packets being routed
8. rules
8.1. iptable matches
8.2. one action
8.2.1. target
9. raw
9.1. configure exemptions from connection tracking in combination with NOTRACK targets
9.2. prerouting
9.2.1. packets arriving via any network interface
9.3. output
9.3.1. packets generated by local processes