Link to home
Start Free TrialLog in
Avatar of BrianGEFF719
BrianGEFF719Flag for United States of America

asked on

IPChains rules -> IPTables rules

I have the following ipchains rules saved using ipchains-save, I need to make it so I can import them using iptables-import on another box. When I try to import using iptables-import ipchains.save, where the following data is in ipchains.save it says error on line 1.




:input ACCEPT
:forward DENY
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -l -y
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A output -s 192.168.1.16/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT -l -y


-Brian
Avatar of BrianGEFF719
BrianGEFF719
Flag of United States of America image

ASKER

output on restore to diff computer:

iptables-restore: line 1 failed
Avatar of troopern
troopern

it probably finds errors with this: ":input ACCPET"

Try removing the first three lines. Since they seem to have nothing to do with your chains.
probably iptables-import freaks out on the starting ":" in these three lines.
either remove them or use "#" instead of ":" for commenting out lines.
I tried that and It did not work.


-Brian
what I will do is translate the ipchains commands into iptables, and then use ipsave

1.A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -l -y
becomes (as far as I know you can't use multiple target in one command)

iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 --syn -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 --syn -j LOG

2.-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
becomes

iptables -t nat -A POSTROUTING -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQUERADE

3. -A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ

iptables -t nat -A POSTROUTING -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQUERADE

4. -A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
5. -A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
6.-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ
7.-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
8.-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
9.-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
(4-9 similar to 3 follow the same strategy)

10.-A output -s 192.168.1.16/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT -l -y
iptables -A OUTPUT -s 192.168.1.16/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.16/255.255.255.0 -d 0.0.0.0/0.0.0.0 --syn -j LOG

then use iptables-save > iptables_save_file.txt to save the new rules.

I don't think it is that easy to write a script that does this automatically, but I think if you are going to convert a lot of such files, it might worth a try. Just try to look into the iptables and ipcahins man pages for comparision of the commands, tables and targets
ASKER CERTIFIED SOLUTION
Avatar of hhelmich
hhelmich

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial