The Linux kernel uses the Netfilter facility
to filter packets, allowing some of them to be received by or pass through the
system while stopping others. This facility is built in to the Linux kernel,
and has three built-in tables or rules lists, as follows:
·
filter — The default table for handling network packets.
·
nat — Used to alter packets that create a new connection and
used for Network Address Translation (NAT).
·
mangle — Used for specific types of packet alteration.
Each table has a group of built-in chains,
which correspond to the actions performed on the packet by netfilter.
The built-in chains for the filter table are as follows:
·
INPUT — Applies to network packets that are targeted for the
host.
·
OUTPUT — Applies to locally-generated network packets.
·
FORWARD — Applies to network
packets routed through the host.
The built-in chains for the nat table are as follows:
·
PREROUTING — Alters
network packets when they arrive.
·
OUTPUT — Alters locally-generated network packets before they are
sent out.
·
POSTROUTING — Alters
network packets before they are sent out.
The built-in chains for the mangle table are as follows:
·
INPUT — Alters network packets targeted for the host.
·
OUTPUT — Alters locally-generated network packets before they are
sent out.
·
FORWARD — Alters network packets
routed through the host.
·
PREROUTING — Alters
incoming network packets before they are routed.
·
POSTROUTING — Alters
network packets before they are sent out.
Every network packet received by or sent from a
Linux system is subject to at least one table. However, a packet may be
subjected to multiple rules within each table before emerging at the end of the
chain. The structure and purpose of these rules may vary, but they usually seek
to identify a packet coming from or going to a particular IP address, or set of
addresses, when using a particular protocol and network service.