Thanks for the help, guys. I'll check it out. A friend recommended Firestarter but I didn't know they had it for iptables. I'll use that to get me started, I'd rather edit the files by hand but it might be a good way to get the initial file set up. I'm building a second box on RH7.2 to replace an old RH 6.0 box we're using so I won't have to take everybody down to do it.
Tnx, Kerry ----- Original Message ----- From: "Brian" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, March 19, 2002 10:38 PM Subject: RE: Ipchains vs Iptables question > There are many GUI programs under freahmeat.net that can help you configure > iptables, check it out. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Crawford > Sent: Tuesday, March 19, 2002 5:43 PM > To: [EMAIL PROTECTED] > Subject: Re: Ipchains vs Iptables question > > > On Tue, 19 Mar 2002, Kerry Miller wrote: > > > We have 2 firewalls running on ipchains now. I'm not too great with > > ipchains yet and haven't even tried iptables, but since I already have > > working firewalls w/ ipchains, is there a way to use my current scripts > with > > iptables? How much different is the syntax, or is there a way to import > the > > ipchains scripts into iptables then save them? Or, is there a util that > > will convert them for me? > > I'm not aware of any tools either, but I simply wrote an iptables > version of what I wanted; the mechanics are not that dissimilar and > the syntax isn't all that much different either. > > A good way to start is probably to just create a couple of simple > rules from scratch, then save the results (using "iptables-save") to > a file and edit that. Then "iptables-restore < file" will load the > new rules and tell you if you have any errors (they're not terribly > helpful error messages, but will tell you which line failed). > > To get you started, your first two rules should be something like: > > # Generated by iptables-save v1.2.3 on Tue Feb 19 19:12:54 2002 > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > ... > COMMIT > # Completed on Tue Feb 19 19:12:54 2002 > > because they will a) make sure any local connections on the machine, > such as local mail delivery, won't break; and b) ensure your current > SSH session doesn't disappear when you load the new ruleset. I can't > stress the latter enough; if you don't do this, with the best will in > the world, you may eventually lock yourself out of the box. I have > done it, my colleagues have done it ... > > You need to make sure you don't have any ipchains rules in place > when you start, which means: > > On RH, do "service ipchains stop" followed by unloading the > ipchains module(s), otherwise iptables won't load. > > On anything else, whatever it takes to remove all the current > rules, followed by unloading ipchains from the kernel. > > This will leave you unprotected, so at this point it's probably best > to unplug the external network for a few minutes. Don't do this while > you need that interface up ... so any documentation you happen to find > you will have to save locally before you start :o) > > Load the kernel module (modprobe ip_tables). This is actually taken > care of by the iptables init script when you start the service up, but > it won't hurt to load it explicitly now, and then you can experiment > before you enable the service "properly" ... > > Load the "iptable_filter" module too, since that's usually the first > one you'll need. > > Now > > # iptables -t filter -A INPUT -i lo -j ACCEPT > # iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j > ACCEPT > > Before you make any other changes, it's a good idea to do something > along the lines of > > # at 'now + 3 minutes' > > /sbin/service iptables stop > > ^D (literal control-D) > > so that if anything does go wrong, you'll be able to reconnect within > a few minutes. Just in case. > > Each time you have a configuration that's tested and working, save > the current settings with > > # iptables-save > /etc/sysconfig/iptables > > or more succinctly > > # service iptables save > > > Tnx, > > Kerry > > > > Network Administrator > > Info-Power International, Inc. > > 3315 Silverstone > > Plano, TX 75023 > > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
