Features in Netfilter


Stateful Inspection
Keeps track of connection state, and uses that information to help decide what traffic to block.

Network Address Translation
Allows many hosts to communicate to another network using only one "real" IP address
Replaces Masquerading in previous kernels
Is distinctly evil

IP Packet Mangling
Allows rewriting of IP headers on the fly.

Extensible
Can be extended using kernel modules and iptables plugins.