Differences Between Iptables And Ipchains - Red Hat LINUX 7.2 Reference Manual

298
from or going to a particular IP address or set of addresses when using a particular protocol and net-
work service.
Regardless of their destination, when packets match a particular rule on one of the rule lists, they are
designated for a particular target, or action to be applied to them. If the rule specifies an ACCEPT
target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to
its destination. If a rule specifies a DROP target, the packet is "dropped," meaning that the packet is
refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies
a REJECT target, the packet is dropped, but an error packet is sent to the packet's originator.
Every chain has a default policy to ACCEPT, DROP, or REJECT the packet, or possibly, QUEUE the
packet to be passed to userspace. If none of the rules in the chain apply to the packet, then the packet
is dealt with in accordance with the chain's defualt policy.
The iptables command allows you to configure these rule lists, as well as set up new chains and
tables to be used for your particular situation.

18.2 Differences between iptables and ipchains

At first glance, ipchains and iptables appear to be quite similar. After all, both methods of
packet filtering use chains of rules operating within the Linux kernel to decide not only which packets
to let in or out, but also what to do with packets that match certain rules, however, iptables offer a
much more extensible way of filtering packets, giving an administrator a finer grained level of control
without building too much complexity into the entire system.
Specifically, users comfortable with ipchains should be aware of the following significant differ-
ences between ipchains and iptables before attempting to use iptables:
• Under iptables , each filtered packet is only processed using rules from one chain rather than
multiple chains. In other words, a FORWARD packet coming into a system using ipchains
would have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to
its destination. However, iptables only sends packets to the INPUT chain if they are destined
for the local system and only sends them to the OUTPUT chain if the local system generated the
packets. For this reason, you must be sure to place the rule designed to catch a particular packet
in the correct chain that will actually see the packet.
The advantage is that you now have finer-grained control over the disposition of each packet. If you
are attempting to block access to a particular website, it is now possible to block access attempts
from clients running on hosts which use your host as a gateway. An OUTPUT rule which denies
access will no longer prevent access for hosts which use your host as a gateway.
• The DENY target has been changed to DROP. In ipchains, packets that matched a rule in a
chain could be directed to the DENY target, which silently dropped the packet. This target must
be changed to DROP in iptables to have the same effect.
Chapter 18:Firewalling with iptables