There are many GUI programs under freahmeat.net that can help you configure iptables, check it out.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Crawford Sent: Tuesday, March 19, 2002 5:43 PM To: [EMAIL PROTECTED] Subject: Re: Ipchains vs Iptables question On Tue, 19 Mar 2002, Kerry Miller wrote: > We have 2 firewalls running on ipchains now. I'm not too great with > ipchains yet and haven't even tried iptables, but since I already have > working firewalls w/ ipchains, is there a way to use my current scripts with > iptables? How much different is the syntax, or is there a way to import the > ipchains scripts into iptables then save them? Or, is there a util that > will convert them for me? I'm not aware of any tools either, but I simply wrote an iptables version of what I wanted; the mechanics are not that dissimilar and the syntax isn't all that much different either. A good way to start is probably to just create a couple of simple rules from scratch, then save the results (using "iptables-save") to a file and edit that. Then "iptables-restore < file" will load the new rules and tell you if you have any errors (they're not terribly helpful error messages, but will tell you which line failed). To get you started, your first two rules should be something like: # Generated by iptables-save v1.2.3 on Tue Feb 19 19:12:54 2002 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ... COMMIT # Completed on Tue Feb 19 19:12:54 2002 because they will a) make sure any local connections on the machine, such as local mail delivery, won't break; and b) ensure your current SSH session doesn't disappear when you load the new ruleset. I can't stress the latter enough; if you don't do this, with the best will in the world, you may eventually lock yourself out of the box. I have done it, my colleagues have done it ... You need to make sure you don't have any ipchains rules in place when you start, which means: On RH, do "service ipchains stop" followed by unloading the ipchains module(s), otherwise iptables won't load. On anything else, whatever it takes to remove all the current rules, followed by unloading ipchains from the kernel. This will leave you unprotected, so at this point it's probably best to unplug the external network for a few minutes. Don't do this while you need that interface up ... so any documentation you happen to find you will have to save locally before you start :o) Load the kernel module (modprobe ip_tables). This is actually taken care of by the iptables init script when you start the service up, but it won't hurt to load it explicitly now, and then you can experiment before you enable the service "properly" ... Load the "iptable_filter" module too, since that's usually the first one you'll need. Now # iptables -t filter -A INPUT -i lo -j ACCEPT # iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Before you make any other changes, it's a good idea to do something along the lines of # at 'now + 3 minutes' > /sbin/service iptables stop > ^D (literal control-D) so that if anything does go wrong, you'll be able to reconnect within a few minutes. Just in case. Each time you have a configuration that's tested and working, save the current settings with # iptables-save > /etc/sysconfig/iptables or more succinctly # service iptables save > Tnx, > Kerry > > Network Administrator > Info-Power International, Inc. > 3315 Silverstone > Plano, TX 75023 _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
