IPTABLES, which supersedes the old IPCHAINS code, is the generic name for what is actually a group of kernel modules and applications used to define and control Linux kernel firewaIling. It actually includes moduIes and applications to provide IPv4, IPv6, ARP, and Ethernet Frame packet filtering as well as some statefuI inspection of packets. There are many options for filtering, depending not only on the packet characteristics (such as protocol, source and destination addresses), but on how the packet is being handled, such as whether it is just entering the system, being forwarded, exiting to the network, needs address translation (such as Network Address Translation or NAT), related to an established connection. There are several good books available on IPTABLES, or you can start with the documentation on the www .netfilter.org website, which is the home of IPT ABLES code as well as many related projects.
There is a project, NFl" ABLES, which is slated to replace IPfABLES in the kernel. It is still under development and at the time of writing, there is no official Debian support (either in Debian 7 or the testing release for Debian 8). However, there are compatibility packages in the works, and once the code becomes part of the official Linux kernel, official Debian packages are expected to follow.
Since most firewall packages provide their own ways to define your firewalls and output the appropriate iptables configuration commands, it is not necessary to understand all of the gritty details of IPIABLES, but a good administrator will want to understand the basics for a couple of reasons. First, it will help in understanding the capabilities of the firewall configuration software, since the features will be based on what can be done with IPTABLES, and second, it will be needed if you use something such as fireflier or mason, which propose rules and expect you to modify or delete them as required for your specific environment.
Of course, beyond understanding what is possible, it is necessary to figure out what is required for your firewall.