display | more...
INPUT, OUTPUT and FORWARD are only the default chains for the filter table. Tables are the highest-level structures in iptables, like chains were in ipchains (D'oh!)

The big picture: Tables have Chains; Chains have Rules.

The three built-in tables are:

filter, which has INPUT, OUTPUT and FORWARD as default chains.
nat, which has PREROUTING, POSTROUTING and OUTPUT as default chains.
mangle, which I admit I know nothing about. (Node what you know, as a wise person once said)

Filtering and NAT work independently of one another. Chains in the nat table never drop or reject a packet; they are good only for altering input or output IP addresses (masquerading or redirection).

iptables is extensible. By installing new kernel modules, along with appropriate command-line modules for the userspace utility, one can implement some original matching rules, like:

- Block or unblock traffic based on time of day (block IRC or RealAudio or ICQ during work hours, for instance)
- Match based on a round robin cycle (can respond to one ping out of each 10. Or use with NAT to get some crude load balancing)
- Match based on probability

and many many more. See the Netfilter Extensions HOWTO at

http://www.netfilter.org/documentation/index.html#HOWTO