IP Packet Filtering: iptables Explained For Beginners

iptables is a IP Filter which is shipped with kernel. Technically speaking, an IP filter will work on Network layer in TCP/IP stack but actually iptables work on data link and transport layer as well. In a broad sense, iptables consists on tables, which consists of chain which is further comprised of rules.
Default tables are:

1. Raw
2. Mangle
3. NAT
4. Filter

Default chains are (yes, they are written in upper case):

1. PREROUTING: used by raw, mangle and nat tables
2. INPUT: used by mangle and filter tables
3. FORWARD: used by mangle and filter tables
4. OUTPUT: used by raw, mangle, nat and filter tables
5. POSTROUTING: used by mangle and nat tables

I'll discuss about Filter table here. It is the one which is most generally used but if you are interested in others as well you can find a detailed tutorial at frozentux. Filter table uses three chains, INPUT, FORWARD and OUTPUT. 

• INPUT chain is for the packets meant for your own local machine. Reply of a http request made by your browser will go through INPUT chain.
• OUTPUT chain is for the packets going out of your machine. The http request made by your browser will go through this chain.
• FORWARD chain is for the packets which you receive but they are not meant for you. Your machine is just supposed to forward them to another device. This generally happens when the machine is configured as a gateway or something similar.

Now every iptables rules have some "target" which is executed when it is matched against a "criteria". Following are the most common targets:

• ACCEPT: Packet is accepted and goes to the application for processing.
• DROP: Packet is dropped. No information regarding the drop is sent to the sender.
• REJECT: Packet is dropped and information (error) message is sent to the sender.
• LOG: Packet details are sent to syslogd for logging. 
• DNAT: Rewrites the destination IP of the packet
• SNAT: Rewrites the source IP of the packet

First four are used in Filter tables a lot. Now let us discuss some of the common criteria:

• -p <protocol>: It matches protocols like tcp, udp, icmp and all
• -s <ip_addr>: It matches source IP address
• -d <ip_addr>: It matches destination IP address
• --sport <port>: It matches the source port
• --dport <port>: It matches the destination port
• -i <interface>: It matches the interface from which the packet entered
• -o <interface>: It matches the interface from which the packet exits

Now we know the basic things to start building our rules. Let us try to write some rules for a few hypothetical (or real) situations. First we'll set default policy for iptables filter table using -P flag.
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP

Now we'll allow this machine to send only http requests and ssh requests:
iptables -A INPUT -p tcp -i eth0 --dport 80
iptables -A INPUT -p tcp -i eth0 --dport 22
Note that -A flag is used because we want to append these rules to current iptables config. If we do not use -A then the rules will be overwritten.

Also assume that my machine acts as an ftp server so I should allow connections to port 20 and 21.
iptables -A OUTPUT -p tcp -i eth0 --sport 20
iptables -A OUTPUT -p tcp -i eth0 --sport 21

Also I would say that I trust my internal network:
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0

So this is how my final iptables script would look like:

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -A INPUT -p tcp -i eth0 --dport 80
iptables -A INPUT -p tcp -i eth0 --dport 22
iptables -A OUTPUT -p tcp -i eth0 --sport 20
iptables -A OUTPUT -p tcp -i eth0 --sport 21
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0
Note that rules are read sequentially. So other than policy rules, if any rule matches then reading will stop and action will be taken according to that rule.