| Firewall | A security system that prevents unauthorized data flow to and from other networks. |
| packet filter | Software that examines the header of packets as they pass through, and decides the fate of the packet based on that packets header. This is done without accouting for it's relationship to any other packet. |
| connection tracking | The ability to maintain state information about a connection in memory tables, such as source and destination ip address and port number pairs (known as socket pairs), protocol types, connection state and timeouts. |
| stateful firewall | A firewall that performs connection tracking. |
| NAT | Network Address Translation. The alteration of source and destination network addresses of ip headers. |
| Netfilter | Software which is newly available in the linux 2.4 kernel that is used to provide firewalling capabilities. |
| iptables | The user space portion of netfilter, or the command line program executed to alter the behavior of the netfilter modules running in the kernel. |
| tables | There are currently three tables in netfilter. Each is present if it's corresponding module is loaded. Tables contain built in chains. |
| filter table | The table that contains the built in chains INPUT, FORWARD and OUTPUT. It is used to detrmine wheather to accept, drop or reject network traffic. |
| nat table | The table used to facilitate network address translation. It contains the built in chains PREROUTING, OUTPUT and POSTROUTING. |
| mangle table | The table used to alter other parts of the packet then the destination and source addresses. It contains the built in chains PREROUTINGand OUTPUT. |
| command | The part of the iptables command line which tells netfilter what what type of change is to be made. (ie append, delete, list) |
| parameter | Options used to specify network traffic. (ie source interface, destination address) |
| target | The resulting action that occurs if the parameter match is true |
| rule | Specifies criteria for a packet and a target. Consists of parameters and a target. |
| chain | A checklist of rules. |
| built in chain | One of the chains which exists as part of a table and is traversed when a packet reaches the appropiate hook. |
| user defined chain | A chain which can be created by a user and it can become a target in a predefined chain or another user defined chain. |
| DNAT | Destination Network Address Translation (nat table, postrouting chain only) The alteration of source and destination network addresses performed to cause the appearance that network traffic is destined for a different host than the host the traffic was originally inteded. |
| SNAT | Source Network Address Translation (nat table, prerouting chain only) The alteration of source and destination network addresses performed to cause the appearance that network traffic originates from a translating host instead of from the actual originating host. |
| Masquerade | A subset of source network address translation appropriate for dynamically assigned addresses |
