iptables

1) DHCP - iptables rules are not reuqired to make DHCP work.
Linux kernel will not send traffic via ethernet interface untill it has an IP address assigned. DHCP client uses raw sockets to 
communicate with the DHCP server, which happens before Iptables have change to process the traffic. 

2) iptables rule = classifier (iptable match) + action (iptables target)

Chains in which rules are applied:
- mangle - used to control TOS attributes, MARKs, TTL. Single table.
- filter - policy decision take place here. Tables: forward (target behind firewall, input (traffic to firewall), output (return, or originating traffic).
- nat - changes to src/dst IPs. Tables: 
-- preroute: DNAT, REDIRECT
-- postroute: SNAT, MASQUERADE
-- output: DNAT, REDIRECT

log:
--log-level
--log-prefix (add space after?, 29 char limit)
--log-uid

Note: output traffic will not go through the pre-route chain.
Note: fireall can filter traffic (implement policy), or deliver to an app (per policy) which can than forward/proxy traffic, implenting complementing or contradicting policy.

Modules
conntrack - allowing traffic requires the following states:
- new (SYN)
- established (active connection traffic that match the state attributes (window/sequence...)
- related (ICMP, also needed when using protocols with separate control and data conns eg. FTP)

Note: 
cat /proc/net/tcp 
sysctls related to iptables
ip route show table local
use policy for default deny
--append adds rule to the end of the chain
--insert adds rule to the head of the chain, or at specified line number
--check will verify that specified rule already exists
invoke: iptables -nvL --line-numbers

ref:
http://www.netfilter.org/