Linux: network firewall
netfilter: Frame
iptables: data packet filtering, NAT, mangle and other rules generated tools;
network: IP packet headers, TCP packet header
firewall: Located in a computer network edge or internet outlet for incoming and outgoing packets. by checking rules, criteria, a set of components
may be hardware or software, rules (matching criteria, processing method)
Framework: default rules, open: block / off: turn off pass to the server the default
rules: the matching criteria
data packets wherein
IP: source IP, destination the IP
the TCP: SPORTs, DPORT, the SYN =. 1
the UDP: SPORTs, DPORT
the ICMP: ICMP-type
data packet filtering
Linux2.0
ipfw / Firewall
Linux2.2
Ipchain / Firewall
Linux2.4
iptables / the netfilter
the TCP / the IP module, TCP / IP stack
/ proc / sys / net / ipv4 / ip_forward
data packet traffic 
routing table
routing decisions
after receiving the first data packet routing decisions
netfilter
hook :钩子函数
1 、2、、3钩子函数位置
另外两个位置 ,刚刚进入路由表决策之前,在出站网卡缓冲区中
未出站前
prerouting
input
output
forward
postrouting
规则链
prerouting
input
output
forward
postrouting
filter (过滤):表
INPUT
OUTPUT
FORWARD
nat(地址) :表
prerouting
postrouting
mangle (拆开、修改、封装):表
在prerouting
input
output
forward
postrouting都可以放mangle()规则
raw()
PREROUTING
OUTPUT
NAT
translates the source address
destination address translation
rule order 
custom chain only to be called to play a role, and if there are no rules to match the custom chain, should have a return mechanism
user can delete a custom empty chain
default chain can not delete
each rule has two internal counter
the number of packets to be matched
by matching the size of the packets and
using custom chains may improve the matching efficiency