Here's the way the official chains are set up (it's a little complicated). They come in three tables:

This is the general arena for chains - and if you've used ipchains before, you're used to it without even knowing it. In here are the INPUT, OUTPUT, and FORWARD chains. The INPUT chain is for packets coming into the computer from the network, destined for a local application. The OUTPUT chain is for packets coming from a local application and destined for the network. The FORWARD chain is for packets that are being routed through your computer (unless you're setting your box up as a router or a masquerading firewall, you can pretty much ignore this chain). One notable change from ipchains is that packets that go through the FORWARD chain do NOT go through the INPUT and OUTPUT chains.

This table is used to handle what used to be handled with MASQ - in other words, masquerading (only in a general sense - it's really much more flexible and powerful). The built-in chains in this table are PREROUTING, OUTPUT, and POSTROUTING.

PREROUTING

This chain is typically used for DNAT, or Destination Network Address Translation. In other words, changing the destination of the packet to a location of your choice. This could be used, for example, to port forward - all connections to port 22 could be redirected to the ``admin'' machine's IP address (on another port, even), while port 80 connections are distributed evenly among a set of 5 web servers as a form of load-balancing. (These machines would typically be on the ``other side'' of the firewall, but not necessarily.) You could also set up a transparent proxy using this chain to reroute connections to the loop-back interface. (You could use either the DNAT module or the REDIRECT module)

POSTROUTING

This chain is typically used for SNAT, or Source Network Address Translation. This is directly related to masquerading (although masquerading is a little different and uses it's own target instead of the SNAT target). You could use this to ``spoof'' your IP address - but there are much easier ways to do that. Well, since I know you're wondering, here's how you would set your machine to masquerade your PPP connection (or Ethernet/ISDN/DSL connection) to the rest of the computers on your home network.

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

OUTPUT

This chain isn't used much - it's more for completing certain network illusions. For example, if you use the PREROUTING chain to forward connections to port 22 off to an admin machine somewhere, if you attempt to connect to port 22 from your machine (the one with the rules) it won't get forwarded, because your local packets don't get into the PREROUTING chain - so you use the OUTPUT chain to forward them, and complete the illusion. When you connect to yourself (or ping your own IP address), your packets go through the OUTPUT mangle chain, the OUTPUT nat chain, the OUTPUT filter chain, the POSTROUTING nat chain, the PREROUTING mangle chain, and then the INPUT filter chain, in that order.

It should be noted that implicit NAT source-port translation can sometimes happen - and will be handled quietly and (nearly) invisibly by the kernel. For example, say you have a masquerading box and a client box. The client box attempts to make a connection from port 1024 to on port 80. The masquerading box, trying to mimic the original connection as closely as possible, will make its masqueraded connection from port 1024 to yahoo.com's port 80. If, during that connection, a person using the masquerading box tries to also make a connection from port 1024 to yahoo.com's port 80, the kernel will invisibly use port 1025 instead. This is called ``port-translation.'' When that happens, the range of ports is divided up into three groups - and invisible port-translation will never escape the original group. The groups are: 1-512, 513-1023, 1024-65535. If a free port cannot be found within a particular group (also called a `class') for a new connection, the connection will be dropped. The NAT code is also fairly intelligent about conflicting rules (mapping two connections onto the same source address and source port, for example, won't be a problem).

Some protocols don't like to be meddled with (I don't know the specifics of it, but the problem is generally because a protocol's logical ``connection'' consists of two real TCP connections) - so there are special modules to make them happy - for example, ip_conntrack_ftp.o, ip_nat_ftp.o, ip_conntrack_irc.o, and ip_nat_irc.o.

Also, when you give the DNAT module a range of IP addresses to forward things to (or multiple ranges), it chooses an IP within that range to use based upon which has the least among of throughput or connections to it that DNAT knows about - a primitive, and convenient, form of load-balancing. One more thing you should know (but only network-wizards will care about): when you are forwarding a connection through a masquerade box, packet fragments are reassembled - so specific fragmentation, and splitting a connection among several masquerading boxes, is unreliable (on the other hand, why would you want to use multiple gateways at a time anyway?).

By definition, the mangle table is for general packet mangling. But generally, there isn't much use for non-NAT packet mangling except by network wizards with too much time on their hands.However, you can also use the mangle table's PREROUTING chain as a clearing house for rules that should apply to both incoming local connections and forwarded connections (i.e., rules that should be shared by FORWARD and INPUT chains from the filter table - but please, use it that way sparingly, if at all). Anyway, the mangle table only has two built-in tables: PREROUTING and OUTPUT, which are used for (according to the iptables man-page) ``altering incoming packets before routing'' and ``altering locally-generated packets before routing.'' What does that mean? Well, for one thing, you can optimize your TOS headers. For example, you could make sure that your ftp-data connections were set to provide the greatest throughput, while your ssh connections are set to minimize delay (this sort of thing would go in the PREROUTING chain on a masquerading box, and the OUTPUT chain on a normal box). For example:

iptables -t mangle -A OUTPUT -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp --sport ssh      -j TOS --set-tos Minimize-Delay

You're probably asking yourself, like I was, what's the difference between mangle and nat? The answer is part of the stateful firewalling business. The nat table's PREROUTING and OUTPUT chains are only used when new connections are being made from a machine other than this one, and are ignored for any other kind of packeti - in other words, only when you would want to use rules for NAT. (Generally, the modules used by the nat rules you may set up create implicit, pervasive rules - for example, the masquerading rule sets up everything necessary for two-way communication without you having to add any more rules, so obviously, you'd only want packets from that connection to be evaluated by that rule when the connection is first being made.) All of the chains in the mangle table, however, are always consulted for every packet. This is a good solution, and keeps CPU overhead to a minimum by not even looking at NAT rules when you wouldn't want to. See? I told you this stuff rocks.

Confused? Maybe this will help: