The -t option specifies which table to use. Per default,
filter table is used. We may specify one of the
following tables with the -t option. Do note that this is
extremely brief summary of some of the contents of the Traversing of tables and chains
Table 9-1. Tables
The nat table is used mainly for
Network Address Translation.
"NAT"ed packets get their IP addresses altered,
according to our rules. Packets in a stream only traverse this table once. We
assume that the first packet of a stream is allowed. The rest of the
packets in the same stream are automatically "NAT"ed
or Masqueraded etc, and will be subject to the same actions as the first
packet. These will, in other words, not go through this table again, but
will nevertheless be treated like the first packet in the stream. This is
the main reason why you should not do any filtering in this table, which
we will discuss at greater length further on. The
PREROUTING chain is used to alter packets as soon as
they get in to the firewall. The OUTPUT chain is used
for altering locally generated packets (i.e., on the firewall) before they get
to the routing decision. Finally we have the
POSTROUTING chain which is used to alter packets just
as they are about to leave the firewall.
This table is used mainly for mangling packets. Among other
things, we can change the contents of different packets and that of their
headers. Examples of this would be to change the TTL,
TOS or MARK. Note that the
MARK is not really a change to the packet, but a mark value
for the packet is set in kernel space. Other rules or programs might use this
mark further along in the firewall to filter or do advanced routing on; tc is
one example. The table consists of five built in chains, the
OUTPUT, INPUT and
FORWARD chains. PREROUTING
is used for altering packets just as they enter the firewall and before they
hit the routing decision. POSTROUTING is used to
mangle packets just after all routing decisions have been made.
OUTPUT is used for altering locally generated
packets after they enter the routing decision. INPUT
is used to alter packets after they have been routed to the local computer
itself, but before the user space application actually sees the data.
FORWARD is used to mangle packets after they have hit
the first routing decision, but before they actually hit the last routing
decision. Note that mangle can't be used for any kind of Network
Address Translation or Masquerading, the
nat table was made for these kinds of operations.
The filter table should be used
exclusively for filtering packets. For example, we could
DROP, LOG, ACCEPT or
REJECT packets without problems, as we can in the other
tables. There are three chains built in to this table. The first one is named
FORWARD and is used on all non-locally generated
packets that are not destined for our local host (the firewall, in other
words). INPUT is used on all packets that are
destined for our local host (the firewall) and OUTPUT
is finally used for all locally generated packets.
The above details should have explained the basics about the three
different tables that are available. They should be used for totally different
purposes, and you should know what to use each chain for. If you do not
understand their usage, you may well dig a pit for yourself in your firewall,
into which you will fall as soon as someone finds it and pushes you into it.
We have already discussed the requisite tables and chains in more detail
within the Traversing of tables and chains chapter. If you do not understand
this fully, I advise you to go back and read through it again.