Compatability With IPChains
This iptables is very similar to ipchains. The main difference is that the chains INPUT and OUTPUT are only traversed for packets coming into the local host and originating from the local host respectively. Hence every packet only passes through one of the three chains (except loopback traffic, which involves both INPUT and OUTPUT chains); previously a forwarded packet would pass through all three.
The other main difference is that -i refers to the input interface; -o refers to the output interface, and both are available for packets entering the FORWARD chain.
iptables is a pure packet filter when using the default ‘filter’ table, with optional extension modules. This should simplify much of the previous confusion over the Combination of IP masquerading and packet filtering seen previously. So the following options are handled differently. Tables consist of chains, which are lists of rules which are followed in order. The default table, filter, contains three built-in chains: INPUT, OUTPUT and FORWARD which are activated at different points of the packet filtering process, as illustrated in the flow chart. The nat table includes PREROUTING, POSTROUTING, and OUTPUT chains. See man 8 iptables for a description of built-in chains in other tables.
By default, none of the chains contain any rules. It is up to you to append rules to the chains that you want to use. Chains do have a default policy, which is generally set to ACCEPT, but can be reset to DROP, if you want to be sure that nothing slips through your ruleset. The default policy always applies at the end of a chain only. Hence, the packet has to pass through all existing rules in the chain before the default policy is applied.