Each table applies to a certain context and consists of rule sets, call chains
If the packet matches a rule, it can either be evaluated by a new chain or have one of three actions applied to it: ACCEPT, DROP, or RETURN (skip to next rule in previwous chain).
5 default tables may be active depending on the kernel
filter: filtering
nat: NAT
mangle: to alther TCP/IP headers
raw: configure exceptions for packets involved in connection tracking
security: mark packets with SELinux security context