Iptables is the userspace binary to control Netfilter, a packet alteration and filtering framework for Linux 2.4. In other words, it controls the firewall and it's rules. Rusty Russell, the person who maintains the code says in his Linux packet filtering howto:
So What's A Packet Filter?
A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It might decide to DROP the packet (i.e., discard the packet as if it had never received it), ACCEPT the packet (i.e., let the packet go through), or something more complicated.
Linux packet filtering howto can be found from http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/index.html
Iptables is quite a powerful package compared to old ipchains. One big advancement is that iptables allows stateful inspection of packets that travel through the chains of rules. Stateful inspection means in short that one can decide what to do with packet depending on its state; it can be NEW, ESTABLISHED or RELATED for example.
With my limited experience in last couple of days with changing my firewall from ipchains to iptables I learned that iptables can do NAT, Masquerading, Forwarding, Filtering based on UID, Transparent proxying as well as limiting the rate of packet flow.
One of the interesting features along the stateful inspection is possibility to tag different logging -instructions with specific text (only 29 characters allowed). This means that this string will be added in the beginning of the log entry, making it easy to identify faster what is happening, rather than having to try to figure out the otherwise quite complex looking mixture of source and destination, protocol, mac-address strings for example.
So, how it works?
There are 3 default chains, INPUT, OUTPUT and FORWARD, for which one can apply rules to. They are called chains because the rules are applied to build a chain. Then the packets travel this chain and the rules are applied to packets in the order the rules are defined. There is also possibility to create your own chains, and use these rules as targets for packets traveling through default chains.
this is by no means complete reference to iptables. node what you know