NetFilter Chains

All chains are traversed until a rule is matched, then we jump to target. Built-in targets are  ACCEPT , REJECT, and DROP. Built-in chains, INPUT, FORWARD , and OUTPUT, have default policies - default targets used when no rules match. Packets exiting user chains with no matches return to the calling chain.
Rules can match packets by source and destination, incoming and outgoing interfaces, flags, protocols, and state. Stateful filtering allows to have different rules for new connections and packets related to existing connections. In many cases it can do the job of the masquerading ipchains modules and reduces need for port forwarding.