Differences Between iptables and ipchains

At frst glance, ipchains and iptables appear to be quite similar. After all, both methods of packet filtering use chains of rules operating within the Linux kernel to decide not only which packets to let in or out, but also what to do with packets that match certain rules, however, iptables offer a much more extensible way of filtering packets, giving an administrator a finer grained level of control without building too much complexity into the entire system.

Specifically, users comfortable with ipchains should be aware of the following significant differences between ipchains and iptables before attempting to use iptables:

  • Under iptables, each filtered packet is only processed using rules from one chain rather than multiple chains. In other words, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to its destination. However, iptables only sends packets to the INPUT chain if they are destined for the local system and only sends them to the OUTPUT chain if the local system generated the packets. For this reason, you must be sure to place the rule designed to catch a particular packet in the correct chain that will actually see the packet.

    •  

     

    The advantage is that you now have finer-grained control over the disposition of each packet. If you are attempting to block access to a particular website, it is now possible to block access attempts from clients running on hosts which use your host as a gateway. An OUTPUT rule which denies access will no longer prevent access for hosts which use your host as a gateway.
     

  • The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a chain could be directed to the DENY target, which silently dropped the packet. This target must be changed to DROP in iptables to have the same effect.

    •  
  • Order matters when placing options in a chain rule. Previously, with ipchains, it did not matter very much how you ordered the rule options when typing the rule. 

    •  

     

    The iptables command is a bit pickier about where some options may go. For example, you must now specify the source or destination port after the protocol (ICMP, TCP, or UDP) to be used in a chain's rule.
     

  • When specifying network interfaces to be used with a rule, you must only use incoming interfaces (-i option) with INPUT or FORWARD chains and outgoing interfaces (-o option) with FORWARD or OUTPUT chains. This is necessary due to the fact that OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.

Linux Tips

See Also
Auditing Change Settings Iptables

Have a Linux Problem
Linux Forum - Do you have a Linux Question?

Linux Books
Linux Certification, System Administration, Programming, Networking Books

Home Index
Linux System Administration Hints and Tips

(c) www.gotothings.com All material on this site is Copyright.
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk.
All product names are trademarks of their respective companies.
The site www.gotothings.com is in no way affiliated with or endorsed by any company listed at this site.
Any unauthorised copying or mirroring is prohibited.