This is paraphrased, in part, from the PacketFiltering? HowTo, which can probably be found somewhere on the Wiki, but should be read at 
netfilter.org.
Packet filtering is provided as part of the Linux kernel. You need to ensure your kernel is compiled with CONFIG_NETFILTER enabled (and that you're running 2.3.15 onwards.) Then you'll need to make sure that CONFIG_IP_NF_IPTABLES is modular and/or compiled into the kernel.
The tool that influences the kernel's filtering rules is called iptables(8). (You may have seen other documentation referencing ipchains or ipfwadm. In 2.2 series kernels you used ipchains(8), in 2.0 series kernels you used ipfwadm(8). Documents that talk of either are too old to help specifically, but the concepts will still apply. If you really have to use ipchains/ipfwadm rules, you can compile support for them into the kernel, but not alongside iptables. It's one or the other.)
Packet filtering also provides transparent proxying, masquerading (NetworkAddressTranslation), and anything else related to rewriting packets.
netfilter is a set of hooks inside the linux 2.4.x kernel's network stack which allows kernel modules to register callback functions called every time a network packet traverses one of those hooks.
iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists out of a number of classifiers (matches) and one connected action (target).
netfilter, iptables and the connection tracking as well as the NAT subsystems together build the whole framework.
The kernel boots up with no firewalling rules. If you manually add a rule with iptables(8), it will not be there next time you boot. You will need a firewall script that runs on boot.
iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP
- Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block iptables -A FORWARD -j block
2 pages link to HowFirewallingWorks:
