Firewall Wizards mailing list archives

Re: IPChains vs. IPTables

From: "Martin A. Brown" <mabrown-firewall-wizards () securepipe com>
Date: Wed, 24 Jul 2002 09:53:24 -0500 (CDT)


Mark,

There's a big difference between iptables and ipchains for the user.  In 
terms of the kernel interface and/or support, it seems to me the 
difference is not so great. 

The primary difference which should persuade you to use ipchains is as 
follows:

  - with ipchains you will need to write a rule for the input, forward
    and output chains, as each and every packet goes through each of
    these chain.  This usually leads to a very complex script even for a 
    simple packet filter.

  - with iptables you will need to write rules as follows:

    input rules only for packets with the destination IP on the local box
    forward rules only for packets passing through the local box
    output rules only for packets generated on the local box

    Using iptables leads to a much less complex script, though the packet 
    filter performs the same task.  Less complexity translates into less
    maintenance cost.

To help you see the way the kernel (2.4.x) deals with IP packets and 
filtering and routing, here's a diagram of the movement of a packet 
through the iptables code in the kernel (Thanks to Stef Coene from the
LARTC list):

  http://www.docum.org/stef.coene/qos/kptd/

And one last item: iptables has better support for nat and other packet 
mangling out of the box.

In short, I'd say, if you have a choice, the effort/reward ratio is 
better with iptables.

-Martin

 : Someone suggested that I use IPTables instead of IPchains, as IPTables is
 : more robust.  Is IPTables more secure for a given set of rules?
 : 
 : The rules for IPChains I use can be found at
 : http://members.cavtel.net/mdver/start_firewall .  This is easier than trying
 : to explain what I am trying to accomplish.
 : 
 : I am using RedHat 7.1 for a gateway/firewall.
 : 
 : I am also looking for an online IPTables for Dummies reference, in case
 : IPTables is indeed superior to IPChains.
 : 
 : Sincerely,
 : Marc DVer
 : 
 : _______________________________________________
 : firewall-wizards mailing list
 : firewall-wizards () honor icsalabs com
 : http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 : 

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown () securepipe com





_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

IPChains vs. IPTables Marc DVer (Jul 24)
- Re: IPChains vs. IPTables Patrick Darden (Jul 24)
  - Re: IPChains vs. IPTables Josh Welch (Jul 24)
    - Re: IPChains vs. IPTables Volker Tanger (Jul 25)
    - Re: IPChains vs. IPTables Nimesh Vakharia (Jul 29)
- Re: IPChains vs. IPTables Martin A. Brown (Jul 24)
- Re: IPChains vs. IPTables firewall-wizards (Jul 24)
- Re: IPChains vs. IPTables Brian Hatch (Jul 24)