diff --git a/LDP/howto/docbook/IPTables.sgml b/LDP/howto/docbook/IPTables.sgml
index 84e4246a..c5658e00 100644
--- a/LDP/howto/docbook/IPTables.sgml
+++ b/LDP/howto/docbook/IPTables.sgml
@@ -114,9 +114,286 @@ some conenction types. (FTP and IRC at the moment)
cover compiling and/or installing IPTables. Usually this is pre-installed
with a 2.4.x distro and if not then please consult the Netfilter website
for more information.
+ Basic knowledge about networking; ports, packets, etc.
+
-
+
+
+Essential IPTables commands
+There are tens upon tens of commands and switches for IPTables, this
+section is a must read it shows you the vital commands for use in this HOWTO.
+They are listed below:
+
+
+ -t <table>: This specifies the table to work on. If
+ -t is ommited then the "filter" table is specified.
+ -L <chain>: List all rules in the specified chain.
+ If the chain is not specified it lists all chains and rules in the
+ current table.
+ -F <chain>: Flushes the specified chain of all
+ rules. Again, if no chain is specified it flushes all rules in all chains
+ in the current table.
+ -X <chain>: This removes the specified user-defined
+ chain. If no chain is specified it deletes all user-defined chains in the
+ current table. (Note: You cannot delete a chain referenced to by another
+ rule.)
+ -N <chain>: This creates a new user-defined chain
+ for you to add rules to.
+ -A <chain> <rule>: This appends a rule to the
+ end of the specified chain. Rules are explained later.
+ -D <chain> <number>: Deletes the rule at
+ position "number" in the specified chain.
+ -P <chain> <policy>: Changes the policy for
+ "chain" to "policy".
+
+
+ That is the main commands outlined, the rest of the commands are
+ well documented in the man page IPTABLES(8). It also contains the flags
+ for useage in rules. I won't list them here because there are too many.
+
+
+
+
+
+Tables, Chains and the like
+There are two main definitons that need to be set out here. The first
+is a table. Tables contain a set of chains, either built-in or user-defined.
+The main two tables you will encounter are the "filter" table and the "nat"
+table.
+
+Chains are lists of rules that a packet traverses. When a packet enters
+a chain the packet is checked against each criteria, if it is met then the
+packet's fate is determined by the "target" flag. (Explained later in detail).
+
+
+
+The Filter Table
+I am going to explain each table and chain before I show a diagram of the
+overall system. The is so you can understand what each part does without having
+to refer back to this section while looking at the diagram.
+
+The first table we meet is the filter table. This is the table you
+encounter if you type iptables -L (-L means list). If you
+actually enter this command you will encounter a display similar to this:
+
+
+
+[root@enterprise matt]# iptables -L
+
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+
+Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+
+
+
+The INPUT chain
+
+We'll start with the INPUT chain first. When packets enter the system
+they are checked for routing, if the packet is inbound to the local machine
+(in this case to enterprise) then the packet is sent
+down the INPUT chain.
+
+In it's current state the chain is wide open. This is due to the policy.
+When the Tables are initalised each policy is set to ACCEPT, the policy defines
+what happens when a packet meets none of the rules in the chain. To use an
+analogy it is what happens if it drops off the end of the chain.
+
+The case in question has the policy ACCEPT. This is in fact a target that
+can be used in a rule, so as not to repeat myself targets are explain in a
+later section.
+
+The INPUT chain is the chain that you will most want to secure on your
+machine. This is the rule to use to block (or open) ports on the local machine.
+Anything accepted in the chain will make it to your network server daemons,
+anything dropped will not.
+
+
+
+
+The FORWARD chain
+The FORWARD chain is also an important chain, especially if you plan on
+masquerading or NAT'ing your conenctions. As with the INPUT chain the packets
+appear here after routing but when the routing specifies that the packet is
+bound for a machien on the network other than itself.
+
+For instance, if you are using Masquerading and a incoming packet from
+the internet enters the network interface the packet would be processed by the
+routing information and enter the FORWARD chain as it is bound for another
+machine. If the packet is accepted (or is accpeted by policy) then it proceeds
+to the destination (and possibly into its INPUT chain if its running Linux), if
+however it is dropped then it proceeds no further and it is dumped into the
+nearest blackhole.
+
+
+
+
+The OUTPUT chain
+The OUTPUT chain is the final built-in chain in the filter table. It
+governs the outgoing packets once they have been transmitted into the network
+layer by the computer daemons. As with the other chains anythign accepted will
+be allowed passage out to the big-wide-world and dropped packets appear
+alongside their rejected brothers (or sisters).
+
+
+
+
+
+The NAT table
+The NAT (Network Address Translation) table is not accessible by default.
+Firstly, if you have the netfilter code compiled as modules then you may have
+to do a modprobe iptable_nat. Secondly to access any of the
+chains in the NAT table iptables must be invoked with the -t
+nat option. Eg:
+
+iptables -t nat -L
+
+This table is the other super-handy table that we will use. All packets
+traverse the chains in here before entering the filter table and before the
+packets from the filter table leave the computer. I think a little more
+explanation here is in order. The typical default NAT tables output is listed
+below:
+
+
+[root@enterprise matt]# iptables -t nat -L
+
+Chain PREROUTING (policy ACCEPT)
+target prot opt source destination
+
+Chain POSTROUTING (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+
+
+I shall concentrate on the PREROUTING and POSTROUTING chains in this
+table (as I'm not yet sure on what the OUTPUT is for, please mail me if you
+can help).
+
+
+The PREROUTING chain
+The PREROUTING chain....you remember where I said before that all the
+packets are routed then enter the FORWARD/INPUT/OUTPUT chains?? Well the
+PREROUTING chain is where the packets traverse BEFORE
+ they get routed. If for instance you wanted to make all packets
+destined for port 80 on the local machine (10.0.0.1) actually appear on port
+81 of 10.0.0.2 then you would insert the DNAT rule here.
+
+This is also the best place to check for simple spoofing, things like
+local, private IP addresses (10.0.0.x, 192.0.0.x, etc) appearing on the
+internet side of your machine is obviously wrong and can be dropped quicker
+than you can say "distributed denial-of-service attack".
+
+Finally, this is the ONLY place that incoming NAT (Destination NAT, DNAT)
+can be performed. This is so the packets can be mangled to force then down the
+FORWARD chain instead of the INPUT where they would be lost.
+
+
+
+
+The POSTROUTING chain
+This chain is also very important, (else why would I mention it!!), it
+governs the handling of packets after they have been routed and are about to be
+spat out of an network adapter.
+
+The major use for this chain is to allow IP masquerading or Source NAT.
+There is a slight difference. IP Masquerading is made specially for all us
+people with Dynamic IP address. When the interface is taken down the IP Masq
+tries to make sure all connections are closed, this is logical is it is
+unlikely you will have the same IP when the adapter comes live again.
+
+Source NAT is different, it leave ports open. This is made for Static IP
+based conenctions, if for some reason your interface dies then when it goes
+live again it will have to same IP. So, if there have been no timeouts and all
+applications still _assume_ they are connected they carry on as usual.
+
+
+
+
+
+
+The Diagram!!
+
+ ________ _____ _________
+Incoming / \ / \ / \ Outgoing
+ -->|PREROUTING|--->|FORWARD|-------|POSTROUTING|----->
+ \________/ \_____/ \_________/
+ | |
+ v ____
+ ___ / \
+ / \ |OUTPUT|
+ |INPUT| \____/
+ \___/ ^
+ | |
+ -------> Local Process -------->
+
+
+
+
+
+
+
+
+Packet Filtering
+This is where you find out how to firewall off you local machine. It will
+involved some of the theory from above to I adive reading it before proceeding.
+
+
+
+Target (-j) ACCEPT,DROP,REJECT,etc
+When I was talking above about accepting, dropping and the like I wasn't
+just using a phrase. The -j flag in rules specifies what target the rule has,
+in layman speak (I know I needed it) it's what happens when the packet matches
+the rule concerned. If you had the following command:
+
+iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+This would instruct any packet that has made it to that rule and that is
+on port 80 to be accepted.
+
+
+Target: ACCEPT
+This is what is says, it allows a matching packet to continue unhindered.
+Also, once a packet has been accpeted it no longer traverses the chain. So if
+the above chain allows a packet it is universally allowed. A moral is in this
+tale!! If you have any mission critical filters to be tested on all packets
+before any are allowed then put them at the top of the chain
+
+
+
+Target: DROP
+This is the exact opposite of ACCEPT, if the packet matches a filter that
+targets to a DROP then the packet is dumped into oblivion and is never seen
+again. Please beware, DROP is a stealth DROP. If a packet is DROPed then NO
+response is returned to say it failed, you program will just sit around till it
+times out.
+
+
+
+Target: REJECT
+This is similar to DROP, firstly in the netfilter code it is created as
+a seperate module (ipt_REJECT.o) and as such needs to be at the very least
+compiled if not modprobe'd. Compared to DROP the only difference it a REJECTed
+packet has a response sent to the originator saying that it failed. I tend to
+use DROP as its stealthy but REJECT has its uses.
+
+
+
+
+Default Policies
+Policies, Policies!! This could be a major security hole on you machine.
+The default policies come set to ACCEPT andif you've read the above stuff then
+you will find that this means ANY packet can get in, out or through your
+network.
+
+
+
+
\ No newline at end of file