Both FLOOD and FLAGS are user defined chains. If you take a look at the entire firewall they list (starting on pg 290) you'll see that for each of those, they start out by creating the user-defined chain:
$IPT -N FLAGS
Then they give FLAGS some rules to describe it:
$IPT -A FLAGS -p tcp --tcp-flags ACK,FIN FIN
$IPT -A FLAGS -p tcp --tcp-flags ACK,PSH PSH
They do something similar with FLOOD. So if you want to use the FLOOD and FLAGS chains, you'll have to create them yourself. INVALID is different. It is an actual built-in feature that loads with the "state" module, not a chain like INPUT or OUTPUT. To use it, you'll have to invoke the state module with:
-m state --state INVALID
For contradictory rules, whoever comes first wins. So as iptables moves through the chain, it tries to match a packet to each of the individual rules in the chain. Once it hits a rule that specifies it to either DROP/REJECT/ACCEPT the packet, iptables won't try to match any more rules. That's an important concept to keep in mind when building your firewall rules.
Some of the other Targets don't follow that behavior, for example the LOG target will log a packet, but iptables will keep on going down the chain. Some of the other targets like QUEUE and MARK do other funky things, but they're rarely used.
Hope that Helps
Last edited by Capt_Caveman; 11-18-2003 at 08:10 PM.