Linux firewall divides all traffic into 3 groups
First two are obvious, third group I guess also covers nat and similar features.
Traffic is controlled by adding accept or reject rules to appropriate group - compared to OpenBSD's pf iptables seems to be missing tables (weird choice for name, he he), all rules seem to behave like quick rules and you need explicitly to take care of connection state.
