User guide
Chapter 2. Securing Your Network
82
The built-in chains for the nat table are as follows:
• PREROUTING — Alters network packets when they arrive.
• OUTPUT — Alters locally-generated network packets before they are sent out.
• POSTROUTING — Alters network packets before they are sent out.
The built-in chains for the mangle table are as follows:
• INPUT — Alters network packets targeted for the host.
• OUTPUT — Alters locally-generated network packets before they are sent out.
• FORWARD — Alters network packets routed through the host.
• PREROUTING — Alters incoming network packets before they are routed.
• POSTROUTING — Alters network packets before they are sent out.
Every network packet received by or sent from a Linux system is subject to at least one table.
However, a packet may be subjected to multiple rules within each table before emerging at the end
of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a
packet coming from or going to a particular IP address, or set of addresses, when using a particular
protocol and network service. The following image outlines how the flow of packets is examined by the
iptables subsystem:
Note
By default, firewall rules are saved in the /etc/sysconfig/iptables or /etc/sysconfig/
ip6tables files.
The iptables service starts before any DNS-related services when a Linux system is
booted. This means that firewall rules can only reference numeric IP addresses (for example,
192.168.0.1). Domain names (for example, host.example.com) in such rules produce errors.