Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 144

nat
This table defines any changes to the source and target addresses of packets. Using
these functions also allows you to implement masquerading, which is a special
case of NAT used to link a private network with the Internet.
mangle
The rules held in this table make it possible to manipulate values stored in IP
headers (such as the type of service).
These tables contain several predefined chains to match packets:
PREROUTING
This chain is applied to incoming packets.
INPUT
This chain is applied to packets destined for the system's internal processes.
FORWARD
This chain is applied to packets that are only routed through the system.
OUTPUT
This chain is applied to packets originating from the system itself.
POSTROUTING
This chain is applied to all outgoing packets.
Figure 15.1, "iptables: A Packet's Possible Paths"
which a network packet may travel on a given system. For the sake of simplicity, the
figure lists tables as parts of chains, but in reality these chains are held within the tables
themselves.
In the simplest of all possible cases, an incoming packet destined for the system itself
arrives at the eth0 interface. The packet is first referred to the PREROUTING chain
of the mangle table then to the PREROUTING chain of the nat table. The following
step, concerning the routing of the packet, determines that the actual target of the
packet is a process of the system itself. After passing the INPUT chains of the mangle
and the filter table, the packet finally reaches its target, provided that the rules of
the filter table are actually matched.
132 Security Guide
(page 133) illustrates the paths along