INPUT, OUTPUT and FORWARD are only the default chains for the
filter table. Tables are the highest-level structures in iptables, like chains were in
ipchains (
D'oh!)
The big picture: Tables have Chains; Chains have Rules.
The three built-in tables are:
filter, which has INPUT, OUTPUT and FORWARD as default chains.
nat, which has PREROUTING, POSTROUTING and OUTPUT as default chains.
mangle, which I admit I know nothing about. (Node what you know, as a wise person once said)
Filtering and NAT work independently of one another. Chains in the nat table never drop or reject a packet; they are good only for altering input or output IP addresses (masquerading or redirection).
iptables is extensible. By installing new kernel modules, along with appropriate command-line modules for the userspace utility, one can implement some original matching rules, like:
- Block or unblock traffic based on time of day (block IRC or RealAudio or ICQ during work hours, for instance)
- Match based on a round robin cycle (can respond to one ping out of each 10. Or use with NAT to get some crude load balancing)
- Match based on probability
and many many more. See the Netfilter Extensions HOWTO at
http://www.netfilter.org/documentation/index.html#HOWTO