Results 1 to 2 of 2
09-05-2004, 11:57 AM #1flumpsGuest
The differences between IP Tables and IP chains
- Firstly, the names of the built-in chains have changed from lower case to UPPER case, because the INPUT and OUTPUT chains now only get locally-destined and locally-generated packets. They used to see all incoming and all outgoing packets respectively.
- The `-i' flag now means the incoming interface, and only works in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT chains that used `-i' should be changed to `-o'.
- TCP and UDP ports now need to be spelled out with the --source-port or --sport (or --destination-port/--dport) options, and must be placed after the `-p tcp' or `-p udp' options, as this loads the TCP or UDP extensions respectively (you may need to insert the ipt_tcp and ipt_udp modules manually).
- The TCP -y flag is now --syn, and must be after `-p tcp'.
- The DENY target is now DROP, finally.
- Zeroing single chains while listing them works.
- Zeroing built-in chains also clears policy counters.
- Listing chains gives you the counters as an atomic snapshot.
- REJECT and LOG are now extended targets, meaning they are separate kernel modules.
- Chain names can be up to 16 characters.
- MASQ and REDIRECT are no longer targets; iptables doesn't do packet mangling. There is a separate NAT subsystem for this: see the ipnatctl HOWTO.
- Probably heaps of other things I forgot.
09-06-2004, 01:36 PM #2
- Join Date
- Feb 2004
Good information. Sometimes the diffrences between IP tables and chains can be very confusing.The Web Hosting Show - The Voice of the Web Hosting World
Think of it as talk radio mixed with Web hosting discussion for both Web hosts and Web hosting clients! New episode every Monday!