Red Hat Linux 7.3: The Official Red Hat Linux Reference Guide | ||
---|---|---|
Prev | Chapter 14. Firewalling with iptables | Next |
At first glance, ipchains and iptables appear to be quite similar. After all, both methods of packet filtering use chains of rules operating within the Linux kernel to decide not only which packets to let in or out, but also what to do with packets that match certain rules. However, iptables offers a much more extensible way of filtering packets, giving the administrator a greater amount of control without building too much complexity into the entire system.
Specifically, users comfortable with ipchains should be aware of the following significant differences between ipchains and iptables before attempting to use iptables:
Under iptables, each filtered packet is only processed using rules from one chain rather than multiple chains. In other words, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to its destination. However, iptables only sends packets to the INPUT chain if they are destined for the local system and only sends them to the OUTPUT chain if the local system generated the packets. For this reason, you must be sure to place the rule designed to catch a particular packet in the rule that will actually see the packet.
The advantage is that you now have more control over the disposition of each packet. If you are attempting to block access to a particular website, it is now possible to block access attempts from clients running on hosts which use your host as a gateway. An OUTPUT rule which denies access will no longer prevent access for hosts which use your host as a gateway.
The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a chain could be directed to the DENY target, which silently dropped the packet. This target must be changed to DROP in iptables to have the same effect.
Order matters when placing options in a rule. Previously, with ipchains, it did not matter very much how you ordered the rule options. The iptables command is a bit pickier about where some options may go. For example, you must now specify the source or destination port after the protocol (ICMP, TCP, or UDP) to be used in a rule.
When specifying network interfaces to be used with a rule, you must only use incoming interfaces (-i option) with INPUT or FORWARD chains and outgoing interfaces (-o option) with FORWARD or OUTPUT chains. This is necessary due to the fact that OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.
This is by no means a comprehensive list of the changes, given that iptables represents a fundamentally rewritten network filter in use with the kernel. For more specific information, consult the Linux 2.4 Packet Filtering HOWTO and the sources found in the Section called Additional Resources.