Questo contenuto non è disponibile nella lingua selezionata.

48.9.2. Differences Between IPTables and IPChains


Both ipchains and iptables use chains of rules that operate within the Linux kernel to filter packets based on matches with specified rules or rule sets. However, iptables offers a more extensible way of filtering packets, giving the administrator greater control without building undue complexity into the system.
You should be aware of the following significant differences between ipchains and iptables:
Using iptables, each filtered packet is processed using rules from only one chain rather than multiple chains.
For example, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains to continue to its destination. However, iptables only sends packets to the INPUT chain if they are destined for the local system, and only sends them to the OUTPUT chain if the local system generated the packets. It is therefore important to place the rule designed to catch a particular packet within the chain that actually handles the packet.
The DENY target has been changed to DROP.
In ipchains, packets that matched a rule in a chain could be directed to the DENY target. This target must be changed to DROP in iptables.
Order matters when placing options in a rule.
In ipchains, the order of the rule options does not matter.
The iptables command has a stricter syntax. The iptables command requires that the protocol (ICMP, TCP, or UDP) be specified before the source or destination ports.
Network interfaces must be associated with the correct chains in firewall rules.
For example, incoming interfaces (-i option) can only be used in INPUT or FORWARD chains. Similarly, outgoing interfaces (-o option) can only be used in FORWARD or OUTPUT chains.
In other words, INPUT chains and incoming interfaces work together; OUTPUT chains and outgoing interfaces work together. FORWARD chains work with both incoming and outgoing interfaces.
OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.
This is not a comprehensive list of the changes. Refer to Section 48.9.7, “Additional Resources” for more specific information.
Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.