At first glance, ipchains and iptables appear to be quite similar. After all, both methods of packet filtering use chains of rules operating within the Linux kernel to decide not which packets to let in or out, but also what to do with packets that match certain rules. However, iptables offers a much more extensible way of filtering packets, giving the administrator a greater amount of control without building too much complexity into the entire system.
Specifically, users comfortable with ipchains should be aware of the following significant differences between ipchains and iptables before attempting to use iptables:
Under iptables, each filtered packet is only processed using rules form one chain rather than multiple chain. In other words, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to its destination. However, iptables only sends packets to the INPUT chain if they are destined for the local system and only sends them to the OUTPUT chain if the local system generated the packet in the packets. For this reason, you must be sure to place the rule designed to catch a particular packet in the rule that will actually see the packet.
The advantage is that you now have more control over the disposition of each packet. If you are attempting to block access to a particular website, it is now possible to block access attempts form clients running on hosts which use your host as a gateway. An OUTPUT rule which denies access will no longer prevent access for hosts which use your host as a gateway. The DENY target has been changed to DROP. Ipchains, packets that matched a rule in a chain could be directed to the DENY target, which silently dropped the packet. This target must be changed to DROP in iptables to have the same effect. Order matters when placing options in a rule. Previously, with ipchains, it did not mater very much how you ordered the rule options. The iptables commend is a bit pickier about where some options may go. For example, you must now specify he source or destination port after the protocol (ICMP, TCP, or UDP) to be used with a rule, you must only use incoming interfaces (-i option) with INPUT or FORWARD chains and outgoing interfaces (-o option) with FORWARD or OUTPUT chains. This is necessary due to the fact that OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.