The Linux kernel’s network packet processing subsystem is called Netfilter, and iptables is the command used to configure it. This book covers the iptables user-space utilities Version 1.2.7a, which uses the Netfilter framework in the Linux kernel version 2.4 and also covers most of what’s in 2.6. Because Netfilter and iptables are tightly coupled, I will use "iptables" to refer to either or both of them throughout this book.
The iptables architecture groups network packet processing rules into tables by function (packet filtering, network address translation, and other packet mangling), each of which have chains (sequences) of processing rules. Rules consist of matches (used to determine which packets the rule will apply to) and targets (that determine what will be done with the matching packets).
iptables operates at OSI Layer 3 (Network). For OSI Layer 2 (Link), there are other technologies such as ebtables (Ethernet Bridge Tables). See http://ebtables.sourceforge.net/ for more information.
An Example Command
Here is a sample iptables command:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:8080
Table1-1 shows what this sample iptables command means.
Table1-1.Decomposed example iptables command arguments
Component | Description |
|---|---|
| Operate on the |
| ... by appending the following rule to its |
| Match packets coming in on the |
| ... that use the |
