Abstract: Netfilter is the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packet mangling. This paper begins with introduction to the framework of netfilter, and some key technology, such as the connection tracking, packet filtering, network address translation, and packet mangling are analyzes in detail. In addition, the strategy of response to intrusion is researched in this paper, and an active response model based on netfilter is given. Through the test proofed, the model could efficiently strengthen the system security.