Classnotes | UNIX03 | RecentChanges | Preferences IP Tables has many advantages over IP Chains. I would say that in most circumstances, you will want to use it instead of IP Chains, if for no other reason then because it will be better supported. However, there are some disadvantages that you should be aware of. Let's examine both the advantages and disadvantages.
Advantages
The connection-tracking feature of IP Table is a very useful thing. It can be used to prevent most TCP hijackings for non-IP Masqueraded clients that suffer from poor TCP sequence number randomization, such as Windows systems, some UNIXes (notably SGI), some IBM system configurations, and many older systems. Similarily, it can be used to prevent UDP packet hijacking in the same way. This functionality can also prevent attackers from injecting spurious ICMP packets for cracking and probing.
Packets can now be matched based on MAC address, the local process's UID, Time To Live (TTL), or the rate of a class of packets being seend. These allow better detection and rejection of interlopers trying to inject packets or scan a system.
Incoming packets initiating TCP connections to your organization's servers can be randomly distributed among a set of servers to spread the load. With IP Tables, you can specify a text string to precede the logged message, making figuring out why a packet was logged much easier.
IP Tables has the ability to REDIRECT packets like IP Chains does, however it also has a generalized DNAT feature that allows arbitrary changing of the destination IP address and port number. Thus, you can actually disguise where packets of a given service go. This has uses everywhere from Honey Pots and Tarpits to enforcing the use of a given proxy server for web caching.
Disadvantages
The "-l" flag from IP Chains is now gone from the target specified by "-j". This means that to get logging, you must have two rules, one to match and LOG and one to match and DROP. The disadvantage of this over ature -l flag is that this will not log the rule number that caused the logging.
Packets being routed through the system (not from or to the system) are not processed by either of the INPUT or OUTPUT chains, only the FORWARD and NAT chains. You must therefore have a different set of rules for packets to and from the firewall than for packets being forwarded.
IP Masqueraing (NAT) for many applications that are supported by IP Chains, are not supported in IP Tables. These include games like Quake and Unreal Tournament, and services like Real Audio and ICQ.
The case of IP Chains' built-in chains was changed (from lower-case to upper-case).
The "-C" command in IP Chains allowed you to ask, "If I had a packet with this protocol, source and destination IP, and ports, and these options, would it be accepted, denied, or rejected?" This command no longer exists in IP Tables.
