Service manual
Chapter 2: Network Configuration 21
Structure of the iptables
The iptables are structured in three levels: table, chain and rule. A table may contain several chains
and each chain may contain several rules.
Table
The table indicates how the iptables works. There are currently three independent tables supported
by the iptables but only two are used.
• filter: This is the default table.
• nat: This table is consulted when a packet that creates a new connection is encountered.
Chain
Each table contains a number of built-in chains and may also contain user-defined chains. The
built-in chains are called according to the type of packet. User-defined chains are called when a
rule, matched by the packet, points to the chain. Each table has a specific set of built-in chains.
For the filter table:
• INPUT - For packets coming into the box itself.
• FORWARD - For packets being routed through the box.
• OUTPUT - For locally-generated packets.
For the nat table (IPv4 only):
• PREROUTING - For altering packets as soon as they come in.
• OUTPUT - For altering locally-generated packets as soon as they come in.
• POSTROUTING - For altering packets as they are about to go out.
Rule
Each chain has a sequence of rules. These rules contain:
• How the packet should appear in order to match the rule: Some information about the packet is
checked according to the rule, such as the IP header, the input and output interfaces, the TCP
flags and the protocol.
• What to do when the packet matches the rule: The packet may be accepted, blocked, logged or
jumped to a user-defined chain. For the nat table, the packet may also have its source IP
address and source port altered (for the POSTROUTING chain) or have the destination IP
address and destination port altered (for the PREROUTING and OUTPUT chain).
When a chain is analyzed, the rules of this chain are reviewed one-by-one until the packet matches
one rule. If no rule is found, the default action for that chain is taken.