iptables, ipchains and SPI

[bpark]

What is the difference between iptables and ipchains? Is it possible to do SPI with these two?

[Dolda2000]

I thin I can summarize it by saying that ipchains is defunct and obsolete. It was used in the 2.2 kernels, and iptables includes all its functionality and extends it.

What is SPI?

[bpark]

Stateful Packet Inspection. It basically drops all packet if the packet wasn't requested from a network.

[genlee]

Iptables supports that but I don't think ipchains does. I don't see any reason to use ipchains unless you are forced to use 2.2 kernel.

[Dolda2000]

Oh yeah, iptables can certainly do that. Just to provide some more info, see the man page iptables(8) and look up the "state" match extension.

[bpark]

Is it safe to state that iptables can do everything and more than ipchains? I'm not understanding why most machines have both. I also read that if ipchains is enabled, it won't load iptables.

[Dolda2000]

I'd be extremely surprised if ipchains can do anything that iptables cannot.

Many distributions still ship with both ipfwadm, ipchains and iptables; I don't know why. ipfwadm was the 2.0 equivalent.
You can still compile compatibility modules for 2.4 that emulate ipfwadm or ipchains, but only when it comes to the userspace interface; they still use netfilter as the back end. And yes, the interface modules are mutually exclusive.

[bpark]

Well, I'm using a Linksys router currently and it's really more trouble than anything. Things don't work right and I'm looking into using a Linux machine as proxy server.

[Dolda2000]

That sounds like a really good idea, if you ask me.

[bpark]

If I use a Linux machine as a proxy, is it possible to have other servers set up the same machine without causing conflicts?