On Tue, 19 Mar 2002, Kerry Miller wrote:
> We have 2 firewalls running on ipchains now. I'm not too great with
> ipchains yet and haven't even tried iptables, but since I already have
> working firewalls w/ ipchains, is there a way to use my current scripts with
> iptables? How much different is the syntax, or is there a way to import the
> ipchains scripts into iptables then save them? Or, is there a util that
> will convert them for me?
I'm not aware of any tools either, but I simply wrote an iptables
version of what I wanted; the mechanics are not that dissimilar and
the syntax isn't all that much different either.
A good way to start is probably to just create a couple of simple
rules from scratch, then save the results (using "iptables-save") to
a file and edit that. Then "iptables-restore < file" will load the
new rules and tell you if you have any errors (they're not terribly
helpful error messages, but will tell you which line failed).
To get you started, your first two rules should be something like:
# Generated by iptables-save v1.2.3 on Tue Feb 19 19:12:54 2002
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
...
COMMIT
# Completed on Tue Feb 19 19:12:54 2002
because they will a) make sure any local connections on the machine,
such as local mail delivery, won't break; and b) ensure your current
SSH session doesn't disappear when you load the new ruleset. I can't
stress the latter enough; if you don't do this, with the best will in
the world, you may eventually lock yourself out of the box. I have
done it, my colleagues have done it ...
You need to make sure you don't have any ipchains rules in place
when you start, which means:
On RH, do "service ipchains stop" followed by unloading the
ipchains module(s), otherwise iptables won't load.
On anything else, whatever it takes to remove all the current
rules, followed by unloading ipchains from the kernel.
This will leave you unprotected, so at this point it's probably best
to unplug the external network for a few minutes. Don't do this while
you need that interface up ... so any documentation you happen to find
you will have to save locally before you start :o)
Load the kernel module (modprobe ip_tables). This is actually taken
care of by the iptables init script when you start the service up, but
it won't hurt to load it explicitly now, and then you can experiment
before you enable the service "properly" ...
Load the "iptable_filter" module too, since that's usually the first
one you'll need.
Now
# iptables -t filter -A INPUT -i lo -j ACCEPT
# iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Before you make any other changes, it's a good idea to do something
along the lines of
# at 'now + 3 minutes'
> /sbin/service iptables stop
> ^D (literal control-D)
so that if anything does go wrong, you'll be able to reconnect within
a few minutes. Just in case.
Each time you have a configuration that's tested and working, save
the current settings with
# iptables-save > /etc/sysconfig/iptables
or more succinctly
# service iptables save
> Tnx,
> Kerry
>
> Network Administrator
> Info-Power International, Inc.
> 3315 Silverstone
> Plano, TX 75023
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
