The iptables firewall works by interacting with the packet filtering hooks in the Linux kernel’s networking stack. These kernel hooks are known as the netfilter framework.
Every packet that enters networking system (incoming or outgoing) will trigger these hooks as it progresses through the stack, allowing programs that register with these hooks to interact with the traffic at key points. The kernel modules associated with iptables register at these hooks in order to ensure that the traffic conforms to the conditions laid out by the firewall rules.
Netfilter 的前身(Linux 2.2.x ipchains and Linux 2.0.x ipfwadm),后继 nftables iptables (table, chain, rule, policy)
network offload 到硬件
iptables 防火墙工具 基于 kernel 的netfilter 包过滤框架(package filter framework)
防火墙 policy 对应 iptables rule