Firstly, the names of the built-in chains have changed from
lower case to UPPER case, because the INPUT and OUTPUT chains now only
get locally-destined and locally-generated packets. They used to see
all incoming and all outgoing packets respectively.
The `-i' flag now means the incoming interface, and only works
in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT
chains that used `-i' should be changed to `-o'.
TCP and UDP ports now need to be spelled out with the
--source-port or --sport (or --destination-port/--dport) options, and
must be placed after the `-p tcp' or `-p udp' options, as this loads
the TCP or UDP extensions respectively.
The TCP -y flag is now --syn, and must be after `-p tcp'.
The DENY target is now DROP, finally.
Zeroing single chains while listing them works.
Zeroing built-in chains also clears policy counters.
Listing chains gives you the counters as an atomic snapshot.
REJECT and LOG are now extended targets, meaning they are
separate kernel modules.
Chain names can be up to 31 characters.
MASQ is now MASQUERADE and uses a different syntax. REDIRECT,
while keeping the same name, has also undergone a syntax change. See
the NAT-HOWTO for more information on how to configure both of these.
The -o option is no longer used to direct packets to the userspace
device (see -i above). Packets are now sent to userspace via the QUEUE
target.