Red Hat ENTERPRISE LINUX 4.5.0 Reference Manual page 352

Chapter 18. iptables
Each table has a group of built-in chains which correspond to the actions performed on the
packet by the netfilter.
The built-in chains for the
• INPUT — Applies to network packets that are targeted for the host.
• OUTPUT — Applies to locally-generated network packets.
• FORWARD — Applies to network packets routed through the host.
The built-in chains for the
• PREROUTING — Alters network packets when they arrive.
• OUTPUT — Alters locally-generated network packets before they are sent out.
• POSTROUTING — Alters network packets before they are sent out.
The built-in chains for the
• INPUT — Alters network packets targeted for the host.
• OUTPUT — Alters locally-generated network packets before they are sent out.
• FORWARD — Alters network packets routed through the host.
• PREROUTING — Alters incoming network packets before they are routed.
• POSTROUTING — Alters network packets before they are sent out.
Every network packet received by or sent from a Linux system is subject to at least one table.
However, a packet may be subjected to multiple rules within each table before emerging at the
end of the chain. The structure and purpose of these rules may vary, but they usually seek to
identify a packet coming from or going to a particular IP address, or set of addresses, when
using a particular protocol and network service.
Note
Do not use fully qualified domain names in firewall rules that are saved in the
/etc/sysconfig/iptables
following example:
example.com
related services at boot time, which results in an error. Only IP addresses are
valid in creating firewall rules.
328
table are as follows:
filter
table are as follows:
nat
table are as follows:
mangle
or
/etc/sysconfig/ip6tables
iptables -A FORWARD -s example.com -i eth0 -j DROP
is invalid because the service starts before any DNS
iptables
files. In the