Tables and Chains
An iptables firewall is implemented using different tables that represent different stages of a packet’s flow through Netfilter. Within each table, a packet traverses down one or more chains to determine where it will end up and what changes will be made to it during processing. By convention, table names are given in lowercase, while chain names are given in uppercase.
Video Lecture
Built-in Tables and Chains
Whenever Netfilter is configured using iptables or ip6tables, the following tables are created automatically: filter, nat, mangle, raw, and security. Default chains that are created by default include PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. Note that not all chains exist in all tables.
Although the tables created by ip(6)tables are fixed, it is possible – and quite common – for the system administrator to create custom chains in one or more tables. These custom chains can be used to group together common rules.
The filter Table
The filter table implements Discretionary Access Controls (DAC) that determine which packets are permitted through the firewall. The filter table has the following built-in chains:
- INPUT
- Handles packets destined for local sockets on the same machine that is running the firewall.
- FORWARD
- Handles packets routed through this host (the one running the firewall) to another destination.
- OUTPUT
- Handles locally generated packets (from the host running the firewall) that are to be sent to another system.
The nat Table
The nat table is consulted whenever a packet creates a new connection. It has the following built-in chains:
- PREROUTING
- Alters packets as they arrive from the network interface.
- OUTPUT
- Alters locally-generated packets before routing them.
- POSTROUTING
- Alters packets as they are about to be sent out from the host.
The mangle Table
In practice, the mangle table is rarely used for specialized packet manipulation. It has all five standard built-in chains:
- PREROUTING
- Allows packets to be mangled upon arrival.
- OUTPUT
- Allows packets originating on this host to be mangled before sending.
- INPUT
- Allows for mangling packets that are destined for this host.
- FORWARD
- Allows for mangling packets as they are routed through this host.
- POSTROUTING
- Allows for mangling packets as they are about to be sent.
The raw Table
The raw table is another table that is rarely used by system administrators. When it is used, one possible use case is to allow some packets to bypass the rest of the firewall. Only two chains are available:
- PREROUTING
- Processes all incoming packets.
- OUTPUT
- Processes outgoing packets generated by this host.
The security Table
Some Linux systems are configured with Mandatory Access Control (MAC) mechanisms, such as SELinux. These mechanisms are especially useful for high security environments in which sensitive or classified data may be handled. It is possible for the MAC mechanisms built into the kernel to override discretionary firewall rules that are set by the system administrator. These rules are consulted after the filter table and support the 3 basic chains:
- INPUT
- Packets destined for this host.
- OUTPUT
- Packets originating from this host.
- FORWARD
- Packets forwarded through this host.
One potential use of the security table is to add security markings to packets, allowing the MAC mechanism to ensure that only certain processes on the system can handle certain kinds of network traffic. This capability allows different servers on a shared Linux host to handle data with different security classifications.
