diff --git a/sec/ex-3_iptables.adoc b/sec/ex-3_iptables.adoc
index 190e884..278f692 100644
--- a/sec/ex-3_iptables.adoc
+++ b/sec/ex-3_iptables.adoc
@@ -44,7 +44,7 @@ and
 
 - Graphical  front-ends. 
 
-''iptables'' is used for https://en.wikipedia.org/wiki/IPv4[IPv4] and ''ip6tables'' is used for ihttps://en.wikipedia.org/wiki/IPv6[IPv6]. Both ''iptables'' and ''ip6tables'' have the same syntax, but some options are specific to either IPv4 or IPv6.
+**iptables** is used for https://en.wikipedia.org/wiki/IPv4[IPv4] and ''ip6tables'' is used for ihttps://en.wikipedia.org/wiki/IPv6[IPv6]. Both ''iptables'' and ''ip6tables'' have the same syntax, but some options are specific to either IPv4 or IPv6.
 
 
 === Installation
@@ -113,14 +113,14 @@ iptables is the user utility which allows you to work with these chains/rules.
 ====
 The key to understanding how iptables works is http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart].  
 
-The lowercase word on top is the table and the upper case word below is the chain.  
+The lowercase word on top is the **table** and the upper case word below is the **chain**.  
 
 - Every IP packet that comes in **on any network interface** passes through this flow chart from top to bottom.  
 
 
 **All interfaces are handled the same way; it's up to you to define rules that treat them differently.**
 
-Of course some packets 
+Some packets 
 
 - are intended for local processes, hence come in from the top of the chart and stop at **Local Proces**, 
 
@@ -285,13 +285,14 @@ Target extensions can be either **terminating** (as built-in targets) or **non-t
 A network packet received on any interface traverses the traffic control chains of tables in the order shown in the http://docs.swarmlab.io/lab/sec/tables_traverse.jpg[this chart]
 
 - The first routing decision involves deciding if the final destination of the packet is the local machine (in which case the packet traverses through the **INPUT chains** 
-- or elsewhere (in which case the packet traverses through the **FORWARD}} chains**.  
+
+- or elsewhere (in which case the packet traverses through the **FORWARD chains**.  
 
 - Subsequent routing decisions involve deciding what interface to assign to an outgoing packet.  
 
 At each chain in the path, every rule in that chain is evaluated in order and whenever a rule matches, the corresponding target/jump action is executed.  
 
-The 3 most commonly used targets are **ACCEPT**, **DROP**, and jump to a user-defined chain.  
+The 3 most commonly used targets are **ACCEPT**, **DROP**, and **jump** to a user-defined chain.  
 
 [NOTE]
 ====
@@ -299,7 +300,8 @@ While built-in chains can have default policies, user-defined chains can not.
 ====
 
 - If every rule in a chain that you jumped fails to provide a complete match, the packet is dropped back into the calling chain as illustrated 
-[http://www.frozentux.net/iptables-tutorial/images/table_subtraverse.jpg here].  
+http://docs.swarmlab.io/lab/sec/images/table_subtraverse.jpg[here].  
+
 - If at any time a complete match is achieved for a rule with a **DROP** target, the packet is dropped and no further processing is done.  
 - If a packet is **ACCEPT**ed within a chain, it will be **ACCEPT**ed in all superset chains also and it will not traverse any of the superset chains any further.  
 
diff --git a/sec/table_subtraverse.jpg b/sec/table_subtraverse.jpg
new file mode 100644
index 0000000..5b96370
Binary files /dev/null and b/sec/table_subtraverse.jpg differ