Differences between iptables and ipchains

Previous page
Table of content
Next page


At first glance, ipchains and iptables appear to be quite similar. Both methods of packet filtering use chains of rules operating within the Linux kernel to decide not only which packets to let in or out but also what to do with packets that match certain rules. However, iptables offers a much more extensive way of filtering packets, giving the administrator a greater amount of control without building too much complexity into the entire system.

Specifically, users comfortable with ipchains should be aware of the following significant differences between ipchains and iptables before attempting to use iptables:

  • Under iptables, each filtered packet is processed using rules from only one chain rather than from multiple chains. For instance, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to its destination. However, iptables sends packets to the INPUT chain only if they are destined for the local system and sends them to the OUTPUT chain only if the local system generated the packets. For this reason, you must be sure to place the rule designed to catch a particular packet in the rule that will actually see the packet. The advantage is that you now have more control over the disposition of each packet. If you are attempting to block access to a particular website, it is now possible to block access attempts from clients running on hosts that use your host as a gateway. An OUTPUT rule that denies access will no longer prevent access for hosts that use your host as a gateway.

  • The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a chain could be directed to the DENY target, which silently dropped the packet. This target must be changed to DROP in iptables to have the same effect.

  • Sequence matters when placing options in a rule. Previously, with ipchains, how you ordered the rule options did not matter very much. The iptables command is a bit pickier about where some options may go. For example, you must now specify the source or destination port after the protocol (ICMP, TCP, or UDP) to be used in a rule.

  • When specifying network interfaces to be used with a rule, you must use incoming interfaces (-i option) only with INPUT or FORWARD chains and outgoing interfaces (-o option) only with FORWARD or OUTPUT chains. This is necessary because OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.

This is by no means a comprehensive list of the changes, given that iptables represents a fundamentally rewritten network filter. For more specific information, consult the Linux 2.4 Packet Filtering HOWTO and the “Additional Resources” section at the end of this chapter.



Previous page
Table of content
Next page
Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
ERP and Data Warehousing in Organizations: Issues and Challenges
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Extending and Embedding PHP
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy