At first glance, ipchains and iptables that match certain rules. However, iptables
Specifically, users comfortable with ipchains should be aware of the following significant differences between ipchains and iptables before attempting to use iptables:
Under iptables, each filtered packet is processed using rules from only one chain rather than multiple chains. For instance, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to its destination. However, iptables the rule designed to catch a particular packet in the rule that will actually see the packet.
The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a chain could be directed to the DENY target. This target must be changed to DROP under iptables.
Order matters when placing options in a rule. Previously, with ipchains, the order of the rule options did not matter. The iptables command uses stricter syntax. For example, in iptables commands the protocol (ICMP, TCP, or UDP) must be specified before the source or destination ports.
When specifying network interfaces to be used with a rule, you must only use incoming interfaces (-i option) with INPUT or FORWARD chains and outgoing interfaces (-o option) with FORWARD or OUTPUT chains. This is necessary because OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.
This is not a comprehensive list of the changes, given that iptables represents a fundamentally rewritten network filter. For more specific information, refer to the Linux 2.4 Packet Filtering HOWTO found in Section 16.5 Additional Resources.
| Главная |