• Userspace program for configuring Linux kernel firewall for IP packets
• Network packets go through a series of firewall chains hosted in specific firewall tables
  • Available tables differ between kernel configurations
  • Commonly used ones are filter, nat and mangle
• Typically coupled with iproute2 for routing
  • One probably already used them; commands include ip and ss

Other hierarchy:

• Firewall chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING, configured with parameters under iptables(8).
• Protocol matching, e.g. -p tcp (for which also implies the extended matching module -m tcp), configured with options under iptables-extensions(8) MATCH EXTENSIONS.
• Targets: ACCEPT, DROP, etc. (as well as DNAT, MARK, MASQUERADE, REDIRECT, REJECT, SNAT, etc. in extended targets under iptables-extensions(8)). Options in their respective manpage.

This is baked directly into the kernel, and there is no option to enable/disable the table other than to modify the rules.

• View all rules across all tables: iptables-save

sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -i wlan0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Used to modify packet headers. Most common use case in marking packets for specialized routing, using the MARK target. Example¹⁾ below shows mail packets being redirected by ip-route to a different routing table mail:

# Set '1' mark on TCP packets headed to port 25
user:~$ iptables -t mangle ... -p tcp --dport 25 -j MARK --set-mark 1
 
# Create 'mail' table (with table ID 201) and add routing rule
user:~$ echo 201 mail >> /etc/iproute2/rt_tables
user:~$ ip route add default via 195.96.98.253 ... table mail
 
# Force packets with '1' mark to use the 'mail' routing table
user:~$ ip rule add fwmark 1 table mail

Other possible use cases

• Rusty's Remarkably Unreliable Guides, written by the dude that wrote iptables
• On mangling:
  • Linux Advanced Routing & Traffic Control HOWTO
• HowToGeek
• https://billauer.co.il/ipmasq-html.html
• man iptables and more specifically man iptables-extensions for match extensions '-m' and target extensions '-j'