| |
|
Home
|
| Red Hat Linux 8.0: The Official Red Hat Linux Reference Guide |
|---|
| Prev | Chapter 13. Firewalls and iptables | Next |
Differences between iptables and
ipchains At first glance, ipchains and
iptables appear to be quite similar. Both methods of
packet filtering use chains of rules operating within the Linux kernel
to decide not only which packets to let in or out, but also what to do
with packets that match certain rules. However,
iptables offers a much more extensible way of
filtering packets, giving the administrator a greater amount of control
without building too much complexity into the entire system.
Specifically, users comfortable with ipchains should
be aware of the following significant differences between
ipchains and iptables before
attempting to use iptables:
Under iptables, each filtered
packet is processed using rules from only one chain rather than
multiple chains. For instance, a FORWARD packet coming
into a system using ipchains would have to go
through the INPUT, FORWARD, and OUTPUT chains in order to move along
to its destination. However, iptables only sends
packets to the INPUT chain if they are destined for the local system
and only sends them to the OUTPUT chain if the local system
generated the packets. For this reason, you must be sure to place
the rule designed to catch a particular packet in the rule that will
actually see the packet.
The advantage is that you now have more control over the
disposition of each packet. If you are attempting to block access to
a particular website, it is now possible to block access attempts
from clients running on hosts which use your host as a gateway. An
OUTPUT rule which denies access will no longer prevent access for
hosts which use your host as a gateway.
The DENY target has been changed to DROP. In
ipchains, packets that matched a rule in a chain
could be directed to the DENY target, which silently dropped the
packet. This target must be changed to DROP in
iptables to have the same effect.
Order matters when placing options in a
rule. Previously, with ipchains, it
did not matter very much how you ordered the rule options. The
iptables command is a bit pickier about where
some options may go. For example, you must now specify the source
or destination port after the protocol (ICMP, TCP, or UDP) to be
used in a rule.
When specifying network interfaces to be used with a
rule, you must only use incoming interfaces (-i
option) with INPUT or FORWARD chains and outgoing interfaces
(-o option) with FORWARD or OUTPUT
chains. This is necessary because OUTPUT chains are no
longer used by incoming interfaces, and INPUT chains are not seen
by packets moving through outgoing interfaces.
This is by no means a comprehensive list of the changes, given that
iptables represents a fundamentally rewritten network
filter. For more specific information, consult the Linux 2.4
Packet Filtering HOWTO and the sources found in the Section called Additional Resources.
|
|
|
|
|
|
|
|
Disclaimer: For authoritative source or latest update to this
documentation, please refer to http://www.redhat.com/docs/manuals/linux/ |
|
 |
|
|
|
Quotes: Finding bad reasons for what one believes for other bad reasons - that's philosophy.
|
|
|
|
|
|
|
