Options Used In Iptables Commands - Red Hat LINUX 7.2 Reference Manual

Section 18.3:Options Used in iptables Commands
• Order matters when placing options in a chain rule. Previously, with ipchains, it did not matter
very much how you ordered the rule options when typing the rule. The iptables command is
a bit pickier about where some options may go. For example, you must now specify the source or
destination port after the protocol (ICMP, TCP, or UDP) to be used in a chain's rule.
• When specifying network interfaces to be used with a rule, you must only use incoming interfaces
( -i option) with INPUT or FORWARD chains and outgoing interfaces ( -o option) with FOR-
WARD or OUTPUT chains. This is necessary due to the fact that OUTPUT chains are no longer
used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing
interfaces.
This is by no means a comprehensive list of the changes, given that iptables represents a funda-
mentally rewritten network filter in use with the kernel. For more specific information, consult the
Linux 2.4 Packet Filtering HOWTO and the sources found in Section 18.5, Additional Resources.

18.3 Options Used in iptables Commands

Rules that allow packets to be filtered by the kernel are put into place by running the iptables
command with a number of options after it that identify the types of packets being filtered, the source
or destination of those packets, and what to do with the packet if it matches the rule. The options used
with a particular iptables rule must be grouped logically, based on the purpose and conditions of
the overall rule, in order for the rule to be valid.
18.3.1 Tables
A powerful aspect of iptables is that multiple tables can be used to decide the fate of a particular
packet, depending upon the type of packet being monitored and what is to be done with the packet.
Thanks to the extensible nature of iptables, specialized tables can be created and stored in the
/etc/modules/ <kernel-version> /kernel/net/ipv4/netfilter directory to meet
special goals. Think of iptables as being able to run multiple sets of ipchains rules in defined
chains, with each set fulfilling a particular role.
The default table, named filter, contains the standard built-in INPUT, OUTPUT, and FORWARD
chains. This is somewhat similar to the standard chains in use with ipchains. However, by default,
iptables also includes two additional tables that perform specific packet filtering jobs. The nat
table can be used to modify the source and destination addresses recorded in packets, and the mangle
table allows you to alter packets in specialized ways.
Each table contains default chains that perform necessary tasks based on the purpose of the table, but
you can easily set up new chains in each of the tables.
18.3.2 Structure
Many iptables commands take the following structure:
299