> ip src/dest is used for routing decisions by the kernel. The IP state > machine (check the RFC or any decent TCP/IP textbook) is really quite > simple. But iptables sticks its nose into the center of that state > machine and can mangle addresses to change how packets flow through the > machine, or just simplely yank packets right out of the machine with a > simple NO (drop). > > So in my mind's eye of the IP state machine (my MSU CPS 410 prof was > death on state machines; turn in a perfectly executing assignment > without one and there went half your grade. See HIP for its state > machine) is dictated by iptables as to what it is allowed to route. That just means iptables can influence routing by manipulating packet headers. Routing is still controlled by the kernel.