Differences Between; Ipchains; And Ipchains - Red Hat ENTERPRISE LINUX 3 Reference Manual

254
FORWARD — Applies to network packets routed through the host.
•
The built-in chains for the
PREROUTING — Alters network packets when they arrive.
•
OUTPUT — Alters locally-generated network packets before they are sent out.
•
POSTROUTING — Alters network packets before they are sent out.
•
The built-in chains for the
INPUT — Alters network packets targeted for the host.
•
OUTPUT — Alters locally-generated network packets before they are sent out.
•
FORWARD — Alters network packets routed through the host.
•
PREROUTING — Alters incoming network packets before they are routed.
•
POSTROUTING — Alters network packets before they are sent out.
•
Every network packet received by or sent out of a Linux system is subject to at least one table.
However, a packet may be subjected to multiple rules within each table before emerging at the end of
the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet
coming from or going to a particular IP address or set of addresses when using a particular protocol
and network service.
Regardless of their destination, when packets match a particular rule in one of the tables, a target or
action is applied to them. If the rule specifies an
the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a
that packet is refused access to the system and nothing is sent back to the host that sent the packet.
If a rule specifies a
QUEUE
target, the packet is dropped, but an error packet is sent to the packet's originator.
REJECT
Every chain has a default policy to
apply to the packet, then the packet is dealt with in accordance with the default policy.
The command configures these tables, as well as sets up new tables if necessary.
iptables

17.2. Differences between

At first glance,

ipchains

use chains of rules operating within the Linux kernel to decide what to do with packets that match the
specified rule or set of rules. However,
giving the administrator a greater amount of control without building a great deal of complexity into
the system.
Specifically, users comfortable with
ences between
ipchains
Under
• iptables
multiple chains. For instance, a FORWARD packet coming into a system using
have to go through the INPUT, FORWARD, and OUTPUT chains to move along to its destination.
However,
iptables
system and only sends them to the OUTPUT chain if the local system generated the packets. For
this reason, it is important to place the rule designed to catch a particular packet within the rule that
actually handles the packet.
The DENY target has been changed to DROP. In
•
could be directed to the DENY target. This target must be changed to DROP under
table are as follows:
nat
table are as follows:
mangle
target, the packet is passed to user-space. If a rule specifies the optional
ACCEPT
iptables
and
iptables
iptables
ipchains
and
iptables
, each filtered packet is processed using rules from only one chain rather than
only sends packets to the INPUT chain if they are destined for the local
target for a matching packet, the packet skips
ACCEPT
, , , or
DROP REJECT QUEUE
and
ipchains
appear to be quite similar. Both methods of packet filtering
offers a more extensible way of filtering packets,
should be aware of the following significant differ-
before attempting to use
, packets that matched a rule in a chain
ipchains
iptables
Chapter 17.
. If none of the rules in the chain
:
iptables
ipchains
iptables
target,
DROP
would
.