The job of the TCP/IP stack in the Linux kernel is to receive data from an application, pack it up, and send it out a network port; and to receive data from the network, unpack it, and deliver it to an application. In theory, the kernel shouldn't alter or adjust the data in any but very specific ways that are permitted by the TCP/IP protocols. One particularly useful routing and security tool, though, violates this theoretical ideal. The
iptables utility configures the Linux kernel to filter and even alter data packets based on various criteria, such as the packets' source and destination addresses. This makes
iptables the standard utility for implementing certain network tools, most importantly packet-filter firewalls ...