Ipchains is very similar to iptables syntax wise, here is a few link’s you can look at. You can goto freshmeat.net there are many gui and text base tools to help you. Just remember to
turn off ipchains…
http://www.fwbuilder.org/
http://www.boingworld.com/workshops/linux/iptables-tutorial/iptables-tutorial.html
http://www.linuxguruz.org/iptables/
http://www.oofle.com/iptables/index.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Vasiliy Boulytchev
Sent: Sunday, April 21, 2002 2:52 PM
To: [EMAIL PROTECTED]
Cc: Vasiliy Boulytchev
Subject: ipchains to iptables
Ladies
and Gents,
Would someone be kind enough to help me with my problem. I have to manage
several firewalls. Is there any quick tools online to automatically
transfer ipchains rules to iptables? I doubt so, but I might as well ask.
I'm pretty sure there's software out there that learns your network
connections, I forget what its called. I've included my ipchains rules so
you can see why its a pain transferring them all.
If someone is willing to help me out switching these, that would be great,
Thanks for your
help,
wanip=216.85.34.43
lanip=10.0.0.8
server3=10.0.0.3
server2=10.0.0.2
server1=10.0.0.1
dnsserver=216.85.34.45
#
Load all required IP MASQ modules
#
#�� NOTE:�
Only load the IP MASQ modules you need.�
All current IP MASQ modules
#��������� are shown below but are
commented out from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP.� Without this module,
#������ RealAudio WILL function but in
TCP mode.� This can cause a reduction
#������ in sound quality
#
#/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Set the location of ipchains and vars.
IPCHAINS="/sbin/ipchains"
echo -n "Flushing
all rulesets.."
$IPCHAINS -X
echo -n "."
# flushing all chains ..
$IPCHAINS -F��
echo -n "."
# clear portforwarding rules ...
ipmasqadm portfw -f
echo -n "."
echo "Done!"
#
# ------
# IP Spoof protections ...
�if [ -e
/proc/sys/net/ipv4/conf/all/rp_filter ] ; then��������������
���� for i in
/proc/sys/net/ipv4/conf/*/rp_filter; do
���� echo 1 > $i
���� done
�fi
# SYN Flood protection ...
if [ -e�
/proc/sys/net/ipv4/tcp_syncookies ] ; then
���� echo 1 >
/proc/sys/net/ipv4/tcp_syncookies
fi
# Blocking ALL ICMP echo requests ...
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
���� echo 0 > $i
���� done
# Disable Source Routed Packets
#for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
#
#� echo 0 > $i
#
#done
# Starting IP Fragment Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Starting IP ICMP Broadcast Echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Starting IP Bogus Error Response Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Done!"
## ------
## Port Forwarding ----
# Used for portforwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Rule sets
ipmasqadm portfw -a -P tcp -L $wanip 1494 -R $server2 1494
ipmasqadm portfw -a -P tcp -L $wanip 1450 -R $server2 1450
ipmasqadm portfw -a -P tcp -L $wanip 1495 -R $server3 1494
ipmasqadm portfw -a -P tcp -L $wanip 25 -R $server1 25
ipmasqadm portfw -a -P tcp -L $wanip 3389 -R $server2 3389
## Illegal Private IPs ------
## Just in case someone wants in with an invalid IP ...
## Private IPs:
#10.0.0.0/8���
#172.16.0.0/12
#192.168.0.0/16
## We should never see these non-routable IPs over the WAN iface.
## We'll log this stuff too ...
echo -n "Illegal IPs.."
# $IPCHAINS -l -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j DENY
�$IPCHAINS -l -A input -i eth0 -s
172.16.0.0/12 -d 0/0 -j DENY
�$IPCHAINS -l -A input -i eth0 -s
192.168.0.0/16 -d 0/0 -j DENY
�$IPCHAINS -l -A input -i etho -s
127.0.0.0/8 -d 0/0 -j DENY
echo -n "."
echo "Done!"
## ------
# Allow for Outgoing FTP connections
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $wanip 20� -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d $wanip 20� -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $wanip 21� -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d $wanip 21� -j ACCEPT
#/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $lanip 20� -i eth1 -j ACCEPT
#/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d $lanip 20� -i eth1 -j ACCEPT
#/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $lanip 21� -i eth1 -j ACCEPT
#/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d $lanip 21� -i eth1 -j ACCEPT
# Allow SMTP sending and logcheck to email reports
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 smtp -d $wanip 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $wanip 25 -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 smtp -d $lanip 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $lanip 25 -j ACCEPT
# Open these ports for portsentry to have a hole to catch someone
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 1 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 23 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 43 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 79 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 139 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 389 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 556 -j ACCEPT
/sbin/ipchains -A input -p UDP -s 0.0.0.0/0 -d $wanip 139 -j ACCEPT
/sbin/ipchains -A input -p UDP -s 0.0.0.0/0 -d $wanip 389 -j ACCEPT
# Allow DNS access
/sbin/ipchains -A input -p tcp -s $dnsserver domain -d $wanip� 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d�
$wanip 1024: -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d�
$wanip 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d�
$wanip domain -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d�
$wanip domain -j ACCEPT
/sbin/ipchains -A input -p tcp -s $dnsserver domain -d $lanip� 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d�
$lanip 1024: -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d�
$lanip 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d�
$lanip domain -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d�
$lanip domain -j ACCEPT
# Allow incoming ICMP
/sbin/ipchains -A input -p icmp -s 0.0.0.0/0 -d $wanip -j ACCEPT
/sbin/ipchains -A input -p icmp -s 0.0.0.0/0 -d $lanip -j ACCEPT
# Allow SSH from anywhere
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d�
$wanip� ssh -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d�
$wanip ssh -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d�
$lanip ssh -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d�
$lanip ssh -j ACCEPT
# Allow BB
/sbin/ipchains -A input -p tcp -s $dnsserver 1984 -d $wanip -j ACCEPT
# Deny MSN Gaming Zone for the damn secretaries.
/sbin/ipchains -A input -p tcp -s 207.46.172.0/0 -d $wanip -j DENY
/sbin/ipchains -A input -p tcp -s 207.46.173.0/0 -d $wanip -j DENY
/sbin/ipchains -A input -p udp -s 207.46.172.0/0 -d $wanip -j DENY
/sbin/ipchains -A input -p udp -s 207.46.173.0/0 -d $wanip -j DENY
/sbin/ipchains -A input -p tcp -s 207.46.172.62 -d $wanip -j DENY
/sbin/ipchains -A input -p tcp -s 207.46.173.62 -d $wanip -j DENY
/sbin/ipchains -A input -p udp -s 207.46.172.62 -d $wanip -j DENY
/sbin/ipchains -A input -p udp -s 207.46.173.62 -d $wanip -j DENY
/sbin/ipchains -A output -p tcp -d 207.46.172.0/24 -j DENY
/sbin/ipchains -A output -p tcp -d 207.46.173.0/24 -j DENY
/sbin/ipchains -A output -p udp -d 207.46.172.0/24 -j DENY
/sbin/ipchains -A output -p udp -d 207.46.173.0/24 -j DENY
# Allow Masqurading from internal interface to external
/sbin/ipchains -A forward -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth0 -j MASQ
# Start by denying all and logging all tcp traffic denies
�/sbin/ipchains -A input -p udp -s
0.0.0.0/0 -i eth0 -j DENY
�/sbin/ipchains -A input -s 0.0.0.0/0 -i
eth0 -j DENY -l
# Save the ipchains
/etc/rc.d/init.d/ipchains save
