Results 1 to 6 of 6

Thread: Iptables, ipchains, the true difference.

  1. #1
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901

    Post Iptables, ipchains, the true difference.

    Hello everyone. I have been browsing the forums for threads concerning the difference between iptables and ipchains, but alas i have not found a thread that actually answered this question. Also the posts concerning this issue are very old, so i decided to point out the differences between the two.

    Differences between IPTABLES and IPCHAINS.

    1 - The name of the built in chains in ipchains have to be written with lowercase, and in iptables with uppercase letters, because under iptables the INPUT and the OUTPUT chains only handle packets which have local destinations, and are processed localy. Under ipchains, all incomming and outgoing packets go through the Input, Output, and forward chains.

    2 - The -i option is the input interface and works only with the INPUT and the FORWARD chains. For rules using the FORWARD or the OUTPUT chain, you must use -o.

    3 - TCP and UDP ports using iptables must include the --source-port or --sport (or --destination-port/--dport) options, since this is the only way to load the TCP/UDP extensions.

    4 - The TCP-Flag -y became in iptables --syn and must go after the -p tcp in the rules that you setup.

    5 - The DENY target under ipchains, is called DROP for iptables.

    6 - The counters of single chains when listing, can be set to 0 in iptables.

    7 - The included counters within iptables, if set to 0 can also empty the policy counters.

    8 - When listing the chains in iptables, the counters are displayed in real time.

    9 - REJECT and LOG under iptables are extra implementations, which means that they are present as seperate kernel modules.

    10 - The name of a chain when using iptables can be upto 31 characters long.

    11 - The target MASQ is called MASQUERADE in iptables, and also there is a slight change in syntax compared to ipchains. REDIRECT also has a slightly different syntax, although the name stays the same.


    If i have missed anything here, please add it to the list.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    The biggest and most important difference is what IPTables can do with connections (UDP and TCP): track connections. This avoids having to open any upper layer ports for access. It literally keeps everything closed and open only what is needed.

    Other differences:

    Iptables looks at the packet information, not just src and dst like ipchains.

    Iptables can alter packets if need be via MANGLE.


    One note: DENY and REJECT should only be used for testing purposes. Otherwise they could possible tell an attacker that you have a firewall. You should use DROP for handling unwanted packets.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Indeed you are very right, i understand what you have meant. And concerning your note, well very wisely spoken there. Thank you for the addon.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  4. #4
    Senior Member
    Join Date
    Nov 2002
    Posts
    393
    instronics, nice post.
    Most of your posts are quite informative, hence bookmarkable ;p
    \"I have a 386 Pentium.\"

  5. #5
    Senior Member
    Join Date
    Nov 2002
    Posts
    339
    very informative, i had a fleeting thought the other day about the difference when i was reading up on stuff. and i agree with invader your post are always a good read.
    Don\'t be a bitch! Use Slackware.

  6. #6
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    you missed stateful inspection, which iptables doesn't do the best job of but its better than IPchains..that does nothing at all
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •