Often said is not really iptables firewall, iptables is just a tool in user space, and the implementation component called netfilter firewall functionality, in kernel space, and this tool can be operated by iptables netfilter components in the true sense.
Four table pentachain:
Four tables:
TABLE filter: default table, you can not modify the contents of the packet, packet filtering only; kernel module: iptables_filte; present in: INPUT, OUTPUT, FORWARD
nat table: network address translation; kernel module: iptable_nat; present in: OUTPUT, POSTROUTING, PREROUTING (there are centos7 INPUT chain, centos6 no)
raw Table: trace data packet; kernel module: iptable_raw, only present on the two chains: PREROUTING, OUTPUT
mangle table: disassembled, modified, re-encapsulating the data packet; kernel module: iptable_mangle, all the chains can be used.
Pentachain:
INPUT: incoming packets;
OUTPUT: a data packet flows;
FORWORD: packet forwarding;
POSTROUTING: After routing;
PREROUTING: Route ago.
Table of priority order (highest to lowest):
raw---> mangle---> nat---> filter