Whole document tree

10. Differences Between iptables and ipchains

• Firstly, the names of the built-in chains have changed from lower case to UPPER case, because the INPUT and OUTPUT chains now only get locally-destined and locally-generated packets. They used to see all incoming and all outgoing packets respectively.
• The `-i' flag now means the incoming interface, and only works in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT chains that used `-i' should be changed to `-o'.
• TCP and UDP ports now need to be spelled out with the --source-port or --sport (or --destination-port/--dport) options, and must be placed after the `-p tcp' or `-p udp' options, as this loads the TCP or UDP extensions respectively.
• The TCP -y flag is now --syn, and must be after `-p tcp'.
• The DENY target is now DROP, finally.
• Zeroing single chains while listing them works.
• Zeroing built-in chains also clears policy counters.
• Listing chains gives you the counters as an atomic snapshot.
• REJECT and LOG are now extended targets, meaning they are separate kernel modules.
• Chain names can be up to 31 characters.
• MASQ is now MASQUERADE and uses a different syntax. REDIRECT, while keeping the same name, has also undergone a syntax change. See the NAT-HOWTO for more information on how to configure both of these.
• The -o option is no longer used to direct packets to the userspace device (see -i above). Packets are now sent to userspace via the QUEUE target.
• Probably heaps of other things I forgot.