There are currently five independent tables (which tables are
present at any time depends on the kernel configuration options
and which modules are present).
-t, --table table
This option specifies the packet matching table which the
command should operate on. If the kernel is configured
with automatic module loading, an attempt will be made to
load the appropriate module for that table if it is not
already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed).
It contains the built-in chains INPUT (for packets
destined to local sockets), FORWARD (for packets being
routed through the box), and OUTPUT (for locally-
generated packets).
nat:
This table is consulted when a packet that creates a
new connection is encountered. It consists of four
built-ins: PREROUTING (for altering packets as soon as
they come in), INPUT (for altering packets destined
for local sockets), OUTPUT (for altering locally-
generated packets before routing), and POSTROUTING
(for altering packets as they are about to go out).
IPv6 NAT support is available since kernel 3.7.
mangle:
This table is used for specialized packet alteration.
Until kernel 2.4.17 it had two built-in chains:
PREROUTING (for altering incoming packets before
routing) and OUTPUT (for altering locally-generated
packets before routing). Since kernel 2.4.18, three
other built-in chains are also supported: INPUT (for
packets coming into the box itself), FORWARD (for
altering packets being routed through the box), and
POSTROUTING (for altering packets as they are about to
go out).
raw:
This table is used mainly for configuring exemptions
from connection tracking in combination with the
NOTRACK target. It registers at the netfilter hooks
with higher priority and is thus called before
ip_conntrack, or any other IP tables. It provides the
following built-in chains: PREROUTING (for packets
arriving via any network interface) OUTPUT (for
packets generated by local processes)
security:
This table is used for Mandatory Access Control (MAC)
networking rules, such as those enabled by the SECMARK
and CONNSECMARK targets. Mandatory Access Control is
implemented by Linux Security Modules such as SELinux.
The security table is called after the filter table,
allowing any Discretionary Access Control (DAC) rules
in the filter table to take effect before MAC rules.
This table provides the following built-in chains:
INPUT (for packets coming into the box itself), OUTPUT
(for altering locally-generated packets before
routing), and FORWARD (for altering packets being
routed through the box).
