[Dshield] Switched from ipchains -> iptables ... some questions.

Clint Byrum cbyrum at erp.com
Thu May 2 17:21:51 GMT 2002

On Thu, 2002-05-02 at 06:16, Ryan Johnson wrote:
> I personally really like iptables. The syntax is very similar to that of
> ipchains, but the how the packets move through the chains is considerably
> different.

This was, in fact, one of the greatest factors in my decision to move
forward. That, and SNAT/DNAT.

> That will probably be the most noticeable difference and the most important
> ( your rules will be considerably different).
> Read about it here
> http://www.iptables.org/documentation/HOWTO//packet-filtering-HOWTO.html
> I can not stress
> If you are happy with the capabilities of ipchains, then iptables may not be
> worth it. However iptables has quite a few new capabilities, that I feel are
> worth the trouble.

Agreed. The stateful firewalling is a huge help, and I feel is actually
easier to comprehend than the traditional approach of checking packet
types and destination ports and so on and so on. For instance, allowing
clients behind the firewall to use UDP based services is much safer now,
as the connections are tracked, and so wide open "let UDP through" rules
are not necessary. Previously the only real way to do this was with

The new logging abilities are quite nice, as packets are now logged
seperately from being acted upon. Also, with the limit module is nice to
prevent filling up one's logs when something like a DDoS occurs.

Basically, iptables (or more properly.. "Netfilter"), is a much more
mature and complete solution. I'm quite happy that I took the time to
move forward.

<snip tons of stuff at bottom .. ahem>

Clint Byrum

More information about the list mailing list