
The filter table has three built-in chains: Each tables may have some built-in chains in which firewall policy rules can be placed. The nat table performs Network Address Translation (NAT). The filter queue is responsible for packet filtering. The mangle table is responsible for the alteration of service bits in the TCP header. There are three important tables: mangle, filter and nat. Users can build very powerfull firewall based on iptables which handles packets based on the type of packet activity and enqueues the packet in one of its builtin ‘tables’. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target). In Linux box, iptables is implemented in Linux kernel as some kernel modules.

Iptables is a generic table structure for the definition of rulesets for network filtering framework by netfilter in Linux kernel.

This software can be running as a normal user, which avoids the security risk caused by running as the root user. In Unix/ Linux box where port numbers below 1024 can only be listened by software running as root, port forwarding is also used to redirect incoming traffic from a low numbered port to software listening on a higher port. For example, running a public HTTP server (port 80) on a host within a private LAN, or permitting secure shell ssh (port 22) access to hosts within the private LAN from the Internet. Port forwarding can be used to allow remote computers (e.g., public machines on the Internet) to connect to a specific computer within a private network such as local area network (LAN), sothat xternal hosts can communicate with services provided by hosts within a LAN. Port forwarding also called “port mapping” commonly refers to the network address translator gateway changing the destination address and/or port of the packet to reach a host within a masqueraded, typically private, network.
