Linuxtopia - Red Hat Enterprise Linux Reference Guide -
Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7">
Red Hat Enterprise Linux 4: Reference Guide
PrevChapter 18. iptablesNext

18.2. Differences between iptables and ipchains

At first glance, ipchains and iptables appear to be quite similar. Both methods of packet filtering use chains of rules operating within the Linux kernel to decide what to do with packets that match the specified rule or set of rules. However, iptables offers a more extensible way of filtering packets, giving the administrator a greater amount of control without building a great deal of complexity into the system.

Specifically, users comfortable with ipchains should be aware of the following significant differences between ipchains and iptables before attempting to use iptables:

  • Under iptables, each filtered packet is processed using rules from only one chain rather than multiple chains. For instance, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains to move along to its destination. However, iptables only sends packets to the INPUT chain if they are destined for the local system and only sends them to the OUTPUT chain if the local system generated the packets. For this reason, it is important to place the rule designed to catch a particular packet within the rule that actually handles the packet.

  • The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a chain could be directed to the DENY target. This target must be changed to DROP under iptables.

  • Order matters when placing options in a rule. With ipchains, the order of the rule options does not matter. The iptables command uses stricter syntax. In iptables commands, the protocol (ICMP, TCP, or UDP) must be specified before the source or destination ports.

  • When specifying network interfaces to be used with a rule, you must only use incoming interfaces (-i option) with INPUT or FORWARD chains and outgoing interfaces (-o option) with FORWARD or OUTPUT chains. This is necessary because OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.

This is not a comprehensive list of the changes, given that iptables is a fundamentally rewritten network filter. For more specific information, refer to the Linux Packet Filtering HOWTO referenced in Section 18.7 Additional Resources.

PrevHomeNext
iptablesUpOptions Used within iptables Commands

  
 
  Published under the terms of the GNU General Public License Design by Interspire