| |
|
Home
|
| Red Hat Linux 7.2: The Official Red Hat Linux Reference Guide |
|---|
| Prev | Chapter 18. Firewalling with iptables | Next |
At first glance, ipchains and
iptables appear to be quite similar. After all, both
methods of packet filtering use chains of rules operating within the
Linux kernel to decide not only which packets to let in or out, but also
what to do with packets that match certain rules, however,
iptables offer a much more extensible way of
filtering packets, giving an administrator a finer grained level of
control without building too much complexity into the entire system.
Specifically, users comfortable with ipchains should
be aware of the following significant differences between
ipchains and iptables before
attempting to use iptables:
Under iptables, each filtered packet is
only processed using rules from one chain rather than multiple
chains. In other words, a FORWARD packet coming into a
system using ipchains would have to go through
the INPUT, FORWARD, and OUTPUT chains in order to move along to its
destination. However, iptables only sends packets
to the INPUT chain if they are destined for the local system and
only sends them to the OUTPUT chain if the local system generated
the packets. For this reason, you must be sure to place the rule
designed to catch a particular packet in the correct chain that will
actually see the packet.
The advantage is that you now have finer-grained control over the
disposition of each packet. If you are attempting to block access to
a particular website, it is now possible to block access attempts
from clients running on hosts which use your host as a gateway. An
OUTPUT rule which denies access will no longer prevent access for
hosts which use your host as a gateway.
The DENY target has been changed to DROP. In
ipchains, packets that matched a rule in a chain
could be directed to the DENY target, which silently dropped the
packet. This target must be changed to DROP in
iptables to have the same effect.
Order matters when placing options in a chain
rule. Previously, with ipchains, it
did not matter very much how you ordered the rule options when
typing the rule. The iptables command is a bit
pickier about where some options may go. For example, you must now
specify the source or destination port after the protocol (ICMP,
TCP, or UDP) to be used in a chain's rule.
When specifying network interfaces to be used with a rule, you
must only use incoming interfaces (-i option)
with INPUT or FORWARD chains and outgoing interfaces
(-o option) with FORWARD or OUTPUT
chains. This is necessary due to the fact that OUTPUT
chains are no longer used by incoming interfaces, and INPUT chains
are not seen by packets moving through outgoing interfaces.
This is by no means a comprehensive list of the changes, given that
iptables represents a fundamentally rewritten network
filter in use with the kernel. For more specific information, consult
the Linux 2.4 Packet Filtering HOWTO and the
sources found in the section called Additional Resources.
| Prev | Home | Next | | Firewalling with iptables | Up | Options Used in iptables Commands |
|
|
|
|
|
|
|
|
Disclaimer: For authoritative source or latest update to this
documentation, please refer to http://www.redhat.com/docs/manuals/linux/ |
|
 |
|
|
|
Quotes: "I have never let my schooling interfere with my education."
|
|
|
|
|
|
|
