Linux Netfilter Architecture
I would like to briefly explain the structure of Linux Netfilter architecture, How it works and how does packet flow through Linux machine.
What is a Firewall?
A firewall is a device software or hardware which is used to filter out the packets going through the network on the basis of some rules and policies.
The firewall has two components one is packet filtering and the second is an application-level gateway. Both of these technologies used to filter out packets depending on packet header and payload information. Packet filter works up to layer 4 (Transport Layer) in the TCP/IP model. Additionally, if we wanna filter out the packet on the basis of payload or data then Application-level gateway is used. I don't wanna go into details of both this article is just to understand packet filters architecture and how it works. Please look at ipv4 header, TCP header, UDP header and ARP header on Wikipedia. https://en.wikipedia.org/wiki/IPv4
How Does Packet Filter work?
packet filter is a component of a firewall that is used to filter out packets on specified rules. Packet filter takes the packet and matches with specified rules in iptables (program provided by Linux kernel firewall ) , Then the header information of a packet is compared with features specified in rules. If header properties of the packet do match with Rule features then corresponding actions triggered for a particular rule. Remeber again each rule has two sub-components features that have all the information that is compared against packet header information and the second component is the target in which actions are specified e.g drop the packet, send the packet to another rule chain or accept the packet. All rules work in linear order keep in mind order is so crucial. Default rule works such a way if the above rule does not accept packets then default accepts, or another way around but what to accept or deny that should be manually specified.

what is a Packet?
A packet is a chunk of information that flows through the internet. Additionally, a packet contains all the information that is important for intermediate stations to get to the destination point. e.g packet header.
For example, a TCP IP packet may have sender IP address, receiver IP address, sender port number, receiver port number and protocol to which on receiving side the packet would be handed over.

Netfilter Architecture and how does it work?
Netfilter Architecture is an indispensable component of firewall. I would briefly explain here what are chains and how these chains work.
There are five chains, but we are only concerned to know about three. These are so crucial for getting into this topic. Whenever a packet comes to the machine or PC, there is a NIC card through which network traffic goes in or out.

as depicted above in figure 1.3. when TCP IP packet comes to network interface card then that is sent to the Pre Routing chain where the decision is made either the packet is destined for the local process, or for another router or another interface depending upon packet header information, The decision is made for routing the packet.
- INPUT CHAIN: If the packet is destined for local process (process means the execution of code at run time) so remember the local process could be any application interacting with the network. I am considering, for example, an application running on port 80.
- OUTPUT CHAIN: If the packet is generated through the local process and intended to go to another machine or network or router etc. That packet will flow through OUTPUT CHAIN and then POSTROUTING chain and then handed over to the network interface card.
- FORWARD CHAIN: if packet comes through network interface and then the decision is made either the packet is intended for local machine or is for another network interface or in another words packet is for another machine or router then the packet goes through FORWARD CHAIN and then sent to POSTROUTING and lastly to NIC.
I hope this would be useful to get to know about Netfilter architecture and how it works. For practical purpose go through “sudo iptables -v -L” in Linux you will be able to see all these three chains and play around by creating client-server machines.
