netfilter vs. iptables
Derrik Pates
dpates@dsdk12.net
Mon, 22 Oct 2001 14:49:23 -0600 (MDT)
On Mon, 22 Oct 2001, Jessica Koeppel wrote:
> I was asked by my boss to set up some ipchains. A friend who knows more
> about such things suggested I look at netfilter, since this is newer.
> So I started in, and mentioned I was working with "iptables", and he
> said that while iptables was newer than ipchains, that I really wanted
> netfilter, as this was newest and best. But everything I look at that's
> related to netfilter has me using iptables.
Netfilter is the kernel-side packet-manipulation framework that iptables
uses. There are modules for compatibility, that layer on top of the
netfilter system, that allow the use of ipchains and ipfwadm (the admin
tools that were used for 2.2.x and 2.0.x packet-filtering systems,
respectively). iptables is, basically, the combination of the user-space
tools (the 'iptables' command-line tool and its .so modules and other
accoutrements) and a kernel-level layer on top of netfilter (basically you
could think of it as a netfilter "personality" module, I suppose) that
the userspace utility talks to to manage rules for handling packets.
Derrik Pates | Sysadmin, Douglas School | #linuxOS on EFnet
dpates@dsdk12.net | District (dsdk12.net) | #linuxOS on OPN