This is just my quick-reference for the kernel 2.4 "iptables" tool from
the netfilter framework.

Current set of default tables:

filter (default table): Starts with built-in chains:
INPUT: Arriving.
FORWARD: Being routed.
OUTPUT: Locally generated

nat (traffic that creates new connections): Starts with built-in chains:
PREROUTING: Arriving.
OUTPUT: Locally generated.
POSTROUTING: Exiting.

mangle (specialised packet alteration): Starts with built-in chains:
PREROUTING: Incoming, before routing.
OUTPUT: Locally generated.
INPUT: Arriving.
FORWARD: Being routed.
POSTROUTING: Exiting.

The admin can create/delete/rename additional chains for any target.


Each chain consists of a set of rules, consulted in order (thus the term
"chain") until one's conditions match. If none match, the default
policy applies, "-P" option. (Policies exist only for built-in chains.
Policy target may only be one of the four predefined rules.) Each rule has:
criterion: Which packets will be affected.
target: Which rule to consult next. (May optionally be one of the
predefined rules ACCEPT, DROP, QUEUE=userspace-handled, or
RETURN=policy.)
Each rule is assigned a rulenum, which can be used to refer to it in
iptables commands.


Since rulesets live in RAM, one can preserve them to disk or reload them
using iptables-save and iptables-restore, respectively.

Many of the more interesting features, such as stateful inspection, are
via dynamically-loaded helper modules (option "-m").

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

Spoofing:
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP

## Create chain that blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
# iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block

Type of Service (TOS) prioritisation: To maximize ssh response
while maintaining maximum file data transfer over HTTP connections:

# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport ssh \
-j TOS --set-tos Minimize-Delay

# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport http \
-j TOS --set-tos Maximize-Throughput


Netfilter architecture
Block diagram

   --->PREROUTING-->[ROUTE]--->FORWARD---------->POSTROUTING------>
       Conntrack      |        Mangle      ^       Mangle
       Mangle         |        Filter      |       NAT (Src)
       NAT (Dst)      |                    |       Conntrack
       (QDisc)        |                 [ROUTE]
                      v                    |
                      INPUT Filter      OUTPUT Conntrack
                      |     Conntrack      ^   Mangle
                      |     Mangle         |   NAT (Dst)
                      v                    |   Filter
                      >- local processes >--