IPtables is a tool to that performs packet filtering in Linux 2.4 kernel. It is a replacement for ipchains in the previous versions. The entire data transfered through networks is in form of packets.The headers of the packets give us the information that is required for making routing decisions and other administrative details. The actual data that is being transfered belongs to the body. To filter packets, its header is examined and appropriate action is taken.

The question then arises why do we need to examine the header and filter the packets? The most important reason would be enhance the security of the network. For example we might want to protect our system from malicious outsiders. Another reason is we might want to restrict or control the usage of the resource that belongs to our network. For example we might want to allow only limited ammount of traffic to pass through.

Basic Format
Tables
The first option is table. There are three kinds of tables namely nat, mangle and filter.
Nat: This table is used for network address translation. There are three chains PREROUTING, OUTPUT and POSTROUTING. Prerouting chain is used to alter the packets as soon as they enter the firewall. Output chain is used to alter the packets locally generated. And postrouting chain is used to alter the packets as they are leaving the firewall
Mangle: This table is used to mangle packets and has two default chains. This table should not be used to either filter packet or do any address translation. The two default chains are PREROUTING and OUTPUT. As with prerouting in Nat table here also it is used to mangle packets as they enter the firewall. And the output is used to mangle packets that are generated locally. This table changes different packets and how their headers appear. For example TTL or TOS.
Filter: This is used to actually filter the packets and if the tables option is not specified then the command is applied to this tables. There are three kinds of chains the INPUT, OUTPUT and FORWARD. The input chain is used on the packets that are destined for local host. Output as in the above cases is used on the locally generated packets. And forward is used on all other chains. The action that can be taken is DROP, LOG, ACCEPT or REJECT on each chain.

Command

Match
This is used to as extended packet matching module. There are two options that are used -p (-protocol) or -m (-match) which are followed by more options. The protocol option that can be matched are tcp, udp and icmp. The match options are mark, limit, owner, ttl, tos, state etc. The three important once are ttl, tos and state. ttl and tos are self-explainatory. The state option tells which state of the packet is to be matched with the rule. There are four states INVALID, ESTABLISHED, NEW and RELATED. Following are some example of the usage of match:

iptables -A INPUT -m state –state RELATED,ESTABLISHED
iptables -A OUTPUT -m ttl –ttl 60
iptables -A INPUT -p tcp –dport 22 Target/Jump

When the rules in a chain are exmained and there is no rule towhich the packet matches then the target option is put into action. The options that are allowed are ACCEPT, DROP, QUEUE or RETURN. Target is used with -P. The jump option is the same as the target it specifies the target of the rule if the packet matches the rule.

Configuration File
The location of the configuration file is specified in the startup script /etc/rc.d/init.d/iptables. This configuration file is read by iptables when it starts. So to make changes permanent we have to edit this file. However there is an option in the start up script ’save’ which saves the changes made to this file without manually having to edit it. So after setting all the rules run the following command:

/etc/rc.d/init.d/iptables save The actual location of this file is /etc/sysconfig/iptables.

Example for Iptables