That is a great distinction.

So I will define netfilter as:
the packet filtering framework inside the Linux 2.4.x and 2.6.x kernel series

and iptables as:
the command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset

What do you think?

By the way, if netfilter is part of the kernel itself, does it mean that is the only way to filter packets?

Is it possible to uninstall netfilter and install another thing?

Kind regards.

I am a bit late coming to this thread, but I thought I would mention for anyone who comes across it that the link win32sux posted above, to Oskar Andreasson's tutorial is hands down, the most comprehensive tutorial I have ever seen on iptables. Where have you been hiding this gem, win32sux?

And now the 3.0.x series too, right?

Sounds good to me. If you're doing this as part of a paper for school, make sure you follow the citation/reference rules your school uses. Otherwise, it'll look like you're plagiarizing.

I'm sure it's not only possible, but also quite feasible (given the freely-available source code). That said, I don't really know if anyone's put together such a patch. I do remember having run into at least one thread here in LQSEC where the poster was looking to do precisely that (albeit such a thread would have been moved to Programming), but I don't recall how things played out.

LOL! Right next to the rock you've apparently just crawled out from under.

Wait... I thought the current kernel series was 2.6.x...

1. Is the 3.0.x series already released?

2. What happened with 2.8.x?

Kind regards.

Linux 3.0 is at RC5 as of yesterday, so it should be released RSN.

To get an idea of why the jump from 2.6.39 to 3.0 was made, check this out.

Great, thanks for the link.

What is RSN?

Sure, no problem.

Real soon now.

Great .

So, recapitulating:

Netfilter:
The packet filtering framework inside the Linux 2.4.x, 2.6.x and 3.0.x kernel series

Iptables:
The command line program used to configure the Linux 2.4.x, 2.6.x and 3.0.x IPv4 packet filtering ruleset

Good enough?

Sounds okay to me.

Hello guys.

I just need to confirm some conclusions I made for my test:

1. every incoming DNATed packet goes necessarily to FORWARD
2. every outgoing SNATed packet not necessarily comes from FORWARD
3. every forwarded packet was DNATed and will be SNATed

Kind regards and thanks for the patience.

Anyone here?

FWIW, #3 seems incorrect to me, as both DNAT and SNAT are optional.

I got the conclusion 3 when I asked myself what happens with a packet when is forwarded.

I thought: is DNATed in PREROUTING and SNATed in POSTROUTING.

Just because a packet traverses those chains doesn't mean it will get sent to those targets.

No, you are right, not every packet is DNATed when it goes through PREROUTING.

But like I said in the first 2 points:
1. every incoming DNATed packet goes necessarily to FORWARD
2. every outgoing SNATed packet not necessarily comes from FORWARD

In 1, DNAT happens in PREROUTING
In 2, SNAT happens in POSTROUTING (necessarily if it comes from FORWARD and optionally if it comes from OUTPUT).

That's why I concluded point 3:
3. every forwarded packet was DNATed and will be SNATed