So I want to make my own iptables script -- and actually understand what's going on. So far I've seen a bunch of other examples, and tried cutting and pasting, with some success and some failure.

From what I gather from the man page, tables are made of several chains, and the chains contain rules. The rules are matched from start to end. There are 3 bulit in tables: filter, nat, and mangle. If any of this info is worng please let me know.

Anyway I have a few simple questions:

Q1: The man page says the general format for appending a rule is:

iptables -t table -A chain rule-specification

But I see a lot of stuff in people's iptables scripts that don't seem to meet this format. What is going on with commands like this?:

iptables --flush // No table is mentioned which tables/chains are flushed here?
iptables --policy INPUT DROP // Chain, and rule but no table, is it automatically filter table?

Q2: Does this rule make sense? I don't see why you need the first "state" before "--state"

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Q3: What are common uses for the tables nat, and mangle?

Q4: Any other tips for really understanding how to use iptalbes?

A1. It will default to the filter table and flush will flush all chains. You can use "-t nat" etc to switch table.

A2. "-m state" tells iptables to match using the state of the connection and "--state" tells iptables which states to match.

A3. The nat table is used for Network Address Translation where as mangle can be used to alter the packets:
http://www.netfilter.org/documentati...T-HOWTO-3.html
http://www.netfilter.org/documentati...T-HOWTO-6.html

A4. The iptables man page should have most information but the netfilter documentation should be in more detail: http://www.netfilter.org/documentation/

A1. All iptables operations without an explicit table operate on the filter table, as its most common use is as a filter. Therefore iptables --flush flushes all chains in the filter table. iptables --policy INPUT DROP sets the policy of the INPUT chain on the filter table to DROP.

A2. -m state means "match against state". --state specifies which states to match against. Yes, one would think that --state would be sufficient to imply both, but I guess the -m flag is to make sure the proper module is loaded. You'd have to ask the iptables designers about that.

A3. NAT is used when one is firewalling a network using iptables and you want to set up Network Address Translation, port forwarding, etc. Mangle is a packet mangler (it actually changes the packets rather than just rerouting them. I can't say that I've ever seen mangle in real use.

A4. When you read scripts, try to understand what each line does. If you're not clear, post here and ask and we'd be happy to explain things to you.

Also, as general advice, to really understand what's going on, a good understanding of the IP, TCP, UDP, and (probably less importantly) ICMP network protocols is necessary. For instance, TCP packets can have several states set (SYN, ACK, FIN, URG, etc.) that you may want to filter on. You can Google around the Web for guides, and Stevens' Unix Network Programming and TCP/IP Illustrated, Vol. 1 are good resources.