Iptables
The kernel modules named ip_tables, ip6_tables, arp_tables (the underscore is part of the name) and ebtables are some of the significant users of the Netfilter hook system. They provide a table-based system for defining firewall rules that can filter or transform packets. The tables can be administered through the user-space tools iptables, ip6tables, arptables and ebtables, respectively.
Each table is actually its own hook, and each table was introduced to serve a specific purpose. As far as Netfilter is concerned, usually to run said table in a specific order with respect to other tables. Other than that however, all tables will call the same table processing function to further iterate over, and execute rules.
Chains in this regard equate to where from the Netfilter stack was invoked, such as packet reception (PREROUTING), locally delivered (INPUT), forwarded (FORWARD), locally output (OUTPUT) and packet send (POSTROUTING). Netfilter modules that do not provide tables (see below) may also check for the origin to select their mode of operation.
- the iptable_raw module will, when loaded, register a hook that will be called before any other Netfilter hook. It provides a table called raw that can be used to filter packets before they reach more memory-demanding operations such as Connection Tracking.
- the iptable_mangle module registers a hook and mangle table to run after Connection Tracking (but still before any other table), so that modifications can be made to the packet that may influence further rules such as NAT or filtering.
- the iptable_nat module registers two hooks: DNAT-based transformations are applied before the filter hook, SNAT-based transformations are applied afterwards. The nat table that is made available to iptables is merely a “configuration database” for NAT mappings only, and not intended for filtering of any kind.
- the iptable_filter module registers the filter table, used for general-purpose filtering (firewalling).
Read more about this topic: Netfilter