Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Firewall Wizards: Re: IPChains vs. IPTables

Re: IPChains vs. IPTables

From: Martin A. Brown <mabrown-firewall-wizards_at_securepipe.com>
Date: Wed, 24 Jul 2002 09:53:24 -0500 (CDT)

Mark,

There's a big difference between iptables and ipchains for the user. In
terms of the kernel interface and/or support, it seems to me the
difference is not so great.

The primary difference which should persuade you to use ipchains is as
follows:

  - with ipchains you will need to write a rule for the input, forward
    and output chains, as each and every packet goes through each of
    these chain. This usually leads to a very complex script even for a
    simple packet filter.

  - with iptables you will need to write rules as follows:

    input rules only for packets with the destination IP on the local box
    forward rules only for packets passing through the local box
    output rules only for packets generated on the local box

    Using iptables leads to a much less complex script, though the packet
    filter performs the same task. Less complexity translates into less
    maintenance cost.

To help you see the way the kernel (2.4.x) deals with IP packets and
filtering and routing, here's a diagram of the movement of a packet
through the iptables code in the kernel (Thanks to Stef Coene from the
LARTC list):

  http://www.docum.org/stef.coene/qos/kptd/

And one last item: iptables has better support for nat and other packet
mangling out of the box.

In short, I'd say, if you have a choice, the effort/reward ratio is
better with iptables.

-Martin

 : Someone suggested that I use IPTables instead of IPchains, as IPTables is
 : more robust. Is IPTables more secure for a given set of rules?
 :
 : The rules for IPChains I use can be found at
 : http://members.cavtel.net/mdver/start_firewall . This is easier than trying
 : to explain what I am trying to accomplish.
 :
 : I am using RedHat 7.1 for a gateway/firewall.
 :
 : I am also looking for an online IPTables for Dummies reference, in case
 : IPTables is indeed superior to IPChains.
 :
 : Sincerely,
 : Marc DVer
 :
 : _______________________________________________
 : firewall-wizards mailing list
 : firewall-wizards_at_honor.icsalabs.com
 : http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 : 

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown_at_securepipe.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jul 24 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]