iptables contains 5 tables by default. Tables contain chains (rulesets) and rules.

  • FILTER Table is the table where most of the incoming requests are processed. It contains the INPUT, OUTPUT and FORWARD chains. Packages that comply with the rules in these 3 chains go through the rules in the FILTER table.
  • NAT Table contains the INPUT, PREROUTING, POSTROUTING, and OUTPUT chains. Used for Network Address Translation.
  • MANGLE Table contains all built-in chains. Used for customized package alterations.
  • RAW Table contains the PREROUTING and OUTPUT chains. It is only used to configure packets to be exempt from connection tracking.
  • SECURITY Table is used for Mandatory Access Control network rules. It contains INPUT, OUTPUT and FORWARD chains.

Rulesets (Chains)

A ruleset can be defined as rules that come together in an ordered group format. It is the equivalent of the chain structure in IPTables in the ERWALL interface. Rulesets can be used in the JUMP part of other rules. The chain structure of IPTables consists of rulesets that are run sequentially according to the conditions. The ruleset in the JUMP part of a rule that is operated and whose condition is met will be switched to and the rules in that ruleset will continue to be operated sequentially.

How do iptables rules work?

An iptables rule checks the validity of an IP package based on specified condition and performs an action according to that validation. The columns listed in the rule table are fields of an IP packet. Rules entered into a ruleset are executed sequentially. If the condition specified in the rule matches the package, the action in the JUMP section is performed. These actions are:

  • Accept: Pass other validations and accept the incoming request.
  • Reject: Deny connection and send a reject response to the client.
  • Drop: Deny connection and do not send a response to the client.
  • Log: Continue with other validations, just log that the condition holds.
  • Jump: Jump into another chain and execute the rules on that chain.

If a packet does not match any rule, then the policy of the built-in chain is operated. It can be either ACCEPT or REJECT. By jumping between chains and trying the rules, requests get accepted or rejected eventually and related actions are taken for the packet.


IPSet is the structure that can be used to group IP addresses with similar attributes. IP Addresses may differ in terms of source company, whitelist, ISP. IPSets can be used when defining rules. For example, when you want to block the IPs in your blacklist, instead of entering these IPs one by one, you can create an IPSet and define your rule over it. Likewise, a user who wants to block all IPs belonging to Amazon can define rules by adding these IPs to an IPSet. Since the IPSet structure performs a search over a hashmap, it provides benefits in terms of both computational complexity and ease of use.