Everyone thinks they know what a firewall is until you get down to the details.   In it's simplest incarnation, a firewall is a filtering router that screens out unwanted traffic.

Linux provides the traffic-filtering tools needed to create a simple firewall.   Combining the routing capabilities of Linux with the filtering features of iptables creates a filtering router.

Linux kernel categorizes firewall into three(3) groups

input 

   incoming traffic is tested against the input firewall rules before it is accepted

output 

   outbound traffic is tested against the output firewall rules before it is sent

forwarding 

   traffic that is is being forwarded through the Linux system is tested against the rules for the forwarding firewall

Linux kernel maintains a list of rules for each of these categories.   These list of rules, called chains, are maintained by the iptables command.   Use the following options with the iptables command to create or delete user-defined rules, add rules to a chain of rules, delete rules from a chain, and change the order of the rules in the chain:

-A 

   appends rules to the end of the chain

-D 

   deletes selected rules from a chain

-E 

   renames a chain

-F 

   removes all of the rules from the chain

-I 

   inserts rules into a chain.   A rule number is defined to specify where in the chain of rules the new rules is inserted

-L 

   lists all rules in a chain.   If no chain is specified, all rules in all chains are listed

-N 

   creates a user-defined chain with the specified name

-P 

   sets the default policy for a chain

-R 

   replaces a rule in a chain -X deletes the specified user-defined chain

-Z 

   resets the packet and byte counters in all chain to zero(0)

accept 

   lets the packet pass through the firewall

drop 

   discards the packet

queue 

   passes the packet up to user space for processing

return 

   in a user-defined rule chain, return means to return to the chain that called this chain.   

   In one of the three(3) kernel chains, it means to exit the chain and use the default policy for the chain 

Use the parameters that come with the iptables command to construct filters that match the protocol used, the source or destination address, or the network interface used for the packet.   The iptables parameters are as follows:

-p protocol 

   defines the protocol to which the rule applies.   can be one of the following keywords: tcp, udp or icmp or any numeric value from /etc/protocols file

-s address [/mask] 

   defines the packet source to which the rule applies.   can be a hostname, a network name, or an IP address with an optional address mask

--sport [port [ :port ] ] 

   defines the source port number of the packets to which this rule applies.   port can be a name or number from the /etc/services file.

-d address [/mask] 

   defines the packet destination to which the rules applies.   The address is defined using the same rules as those used to define the address for the packet source --dport [port [ :port ] ] 

   defines the destination port number to which the rules applies.   This filters all traffic bound for a specific port.

--icmp-type

   type defines the ICMP type to which the rule applies.   type can be any valid ICMP message type number or name

-j target 

   Identifies a standard policy to handle the packet or a user-defined chain to which control should be passed

-i name 

   defines the name of the input network interface to which the rule applies.   only packets received on this interface are affected by this rule.

-o name 

   defines the name of the output network interface to which the rule applies.   only packets sent on this interface are affected by this rule.

-f

   indicates that the rule refers only to second and subsequent fragments of fragmented packets