Iptables

Here is a packet flow diagram for iptables, omitting the Prerouting and Postrouting chains for simplicity. It also assumes all traffic through the OUTPUT chain leaves the host, but packets addressed to loopback may circulate back to the "packet in" point.

iptables packet flow diagram

Packet rules can be added with the form
    iptables --add chain_name  packet-description  --jump [ACCEPT | DROP]
Here are a few examples for the packet-description part. You can select by source/destination address, protocol (TCP/UDP/etc), src/dest port, input or output interface, Ethernet address (no examples here), or any other header bits. You can mix and match.
    --destination lamp.cslabs.luc.edu
    --source 10.2.3.0/24
    --protocol tcp --source-port 80    # must have --protocol tcp before you can have any tcp-specific match
    --protocol tcp --destination-port 25 --out-interface eth2
    --protocol icmp --icmp-type echo-request --in-interface eth0
    --protocol udp
    --match state --state ESTABLISHED,RELATED       # --match has several modules; here we use state
    --match state --state NEW
    --protocol tcp --syn   # for TCP, same as --state NEW: first TCP SYN packet

When iptables is used to mark packets for iproute2 or tc, usually the prerouting chain / mangle table is used. Iptables also has a classify option for tagging packets for a given tc-htb queue.