The Linux kernel's network packet processing subsystem is called Netfilter, and iptables is the command used to cnfigure it. Another word, iptables is a user space utilities which uses Netfilter framework in the Linux kernel.

Because Netfilter and iptables are tightly coupled, most of cases, pepole either use iptables to refer Netfilter in the Linux, or use Netfilter refers iptables in the Linux.

The iptables architecture groups network packet processing rules into tables by funtion(packet filtering, network address translation, and other packet mangling), each of which have chains of processing rules. Rules consist of matches(used to determine which packages the rule will apply to) and targets(that determine what will be done with the matching packets).


Hook points

Iptables defines five "hook points" in the kernel's packet processing pathways:






Build in chains are attached to these hook points. You can add a sequence of rules for each hook point. Each rule represents an opportunity to affet or monitor packet flow.


Iptables comes with three built-in tables:


        Used to set policies for the type of traffic allowed into, through, 
and out of the computer. Unless you refer to a different table explicity,
iptables operate on chains within this table by default.
Its built in chains are: FORWARD, INPUT AND OUTPUT.


        Used for specialized packet alteration, such as stripping off ip options.
        it's built-in chains are: FORWARD, INPUT, OUTPUT, OSTROUTING, AND PREROUTING.


        Used with connection tracking to redirect connections for network address translation;
typically based on source or destination addresses.
Its build-in chains are: OUTPUT, POSTROUTING and PREROUTING.

Each of them is preconfigured with chains correponding to one or more of the hook points.


By default, each table has chains, which are initially empty, you can create your own custom chains to organize your rules.

A chain's policy determines the fate of packets that reach the end of the chain without otherwise being sent to a specific target. Only the built-in targets ACCEPT and DROP can be used as the policy for a built-in chain, and the default is ACCEPT.

All user-defined chains have an implicit policy of RETURN that cannot be changed.


An iptables rule consists of one or more match criteria that determine which network packets it affects(all match options must be satisfied for the rule to match a packet) and a target specification that determines how the network packets will be affected.

The system maintains packet and byte counters for every rule. Every time a packet reaches a rule and matches the rule's criteria, the packet counter is incremented and the byte counter is increased by the size of the matching packet.

Both the match and the target portion of the rule are optional. If there are no match criteria, all packets are considered to match. If there is no target specification, nothing is done to the packets,, processing proceeds as if the rule did not exist, except that the packet and byte counters are updated.

For example, you can add such a null rule to the FORWARD chain of the filter table with the command:

iptables -t filter -A FORWARD


There are a variety of matches available for user with iptables, although some are available only for kernels with certain features enabled. Generic Internet Protocol matches are applicable to any IP packet.

In addition to the generic matches, iptables includes many specialized matches available through dynamically loaded extensions.


Targets ar used to specify the action to take when a rule matches a packet and also to specify chain polices. For targets are built into iptables, and extension modules provide others.





Configuring iptables

The procedures for configuring iptables vary by Linux distribution, I'll try to provide generic configuration, but for my testbed is Scientific Linux which is Red Hat, so it will look mor like Red Hat specific.

Iptables rules configuration file

Iptables rules are stored in /et/sysconfig/iptables

Checkconfig running level

You can determine which run levels have iptables enabled by running the command:

chkconfig --list iptables

For examples, mostly you want enable iptables for runlevels 3,4, and 5

chkconfig --levels 345 iptables on

Start iptables manually

service iptables start

Stop iptables manually

service iptables stop

Other configuration files


Contains settings for configurations in the /proc/sys directory that are applied at boot time, for example /proc/sys/net/ipv4/ip_forward can be set to 1 at boot time by adding an entry net.ipv4.ip_forward=1 to this file


Dumps the contents of the connection tracking structures if you read it.


Controls the size of the connetion tracking table in the kernel.


You need to set this to 1 for the host to act as a gateway

Command example:

Here is a simple iptables command:

iptables -t nat -A PRROUTING -i eth1 -p tcp -dport 80 -j DNAT --to-destiation

In the example above:


-t nat  Operate on the nat table


-A PREROUTING  --> by apending the following rule to its PREROUTING chain


 -i eth1 Match packets coming in on eth1 NIC
-p tcp  Match that use the tcp protocol
--dport 80 Match the packets for port 80


-j DNAT Jump to the DNAT target
--to-destination change the destination address to <> and port 8080