#previous contents
   
   Next Previous Contents
     _____________________________________________________________________________________
   
7. Differences Between iptables and ipchains

     * Firstly, the names of the built-in chains have changed from lower case to UPPER case,
       because the INPUT and OUTPUT chains now only get locally-destined and
       locally-generated packets. They used to see all incoming and all outgoing packets
       respectively.
     * The `-i' flag now means the incoming interface, and only works in the INPUT and
       FORWARD chains. Rules in the FORWARD or OUTPUT chains that used `-i' should be changed
       to `-o'.
     * TCP and UDP ports now need to be spellt out with the --source-port or --sport (or
       --destination-port/--dport) options, and must be placed after the `-p tcp' or `-p udp'
       options, as this loads the TCP or UDP extentions respectively (you may need to insert
       the ipt_tcp and ipt_udp modules manually).
     * The TCP -y flag is now --syn, and must be after `-p tcp'.
     * The DENY target is now DROP, finally.
     * Zeroing single chains while listing them works.
     * Zeroing built-in chains also clears policy counters.
     * Listing chains gives you the counters as an atomic snapshot.
     * REJECT and LOG are now extended targets, meaning they are separate kernel modules.
     * Chain names can be up to 16 characters.
     * MASQ and REDIRECT are no longer targets; iptables doesn't do packet mangling. There is
       a separate NAT subsystem for this: see the ipnatctl HOWTO.
     * Probably heaps of other things I forgot.
     _____________________________________________________________________________________
   
   Next Previous Contents