Classnotes | UNIX03 | RecentChanges | Preferences IP Tables is the third generation firewall technology for Linux and is the successor to IP Chains. Some Linux systems will ship with functionality for both IP Chains and IP Tables, however, increasingly IP Chains is being phased out (the functionality is still in there with the netfilter modules, but the userspace tools may or may not be included).
IP Tables has some innovative features not found in IP Chains or in other firewall implementations on other UNIXes. One of the most important new features in IP Tables is a general connection-tracking log for tracking regular TCP, UDP, and ICMP connections. This feature allows IP Tables to be stateful, and gives it the ability to track attacks as they occur and adapt the firewall to combat them.
While it can be difficult to learn, the barrier largely stems from poorly chosen terminology. Once you get past the strange terms and usage, you will find the IP Tables provides a very simple and elegant way to set up packet filtration.
Luckily for us, IP Tables is superficially very similar to IP Chains: It does share much of the same syntax, it can be used as a drop-in replacement in existing IP Chains scripts, it still deals with the same chains and basic rules. However, there is one significant and impressive improvement over IP Chains: Tables.
Tables
A table in IP Tables is a loadable module that adds very specific packet filtration to the kernel. There are presently three different tables that can be enabled:
filter
This is the default table. It contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
nat
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
mangle
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
