Solved

IPChains rules -> IPTables rules

Posted on 2004-04-06
5
435 Views
Last Modified: 2008-01-09
I have the following ipchains rules saved using ipchains-save, I need to make it so I can import them using iptables-import on another box. When I try to import using iptables-import ipchains.save, where the following data is in ipchains.save it says error on line 1.




:input ACCEPT
:forward DENY
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -l -y
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ
-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A output -s 192.168.1.16/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT -l -y


-Brian
0
Comment
Question by:BrianGEFF719
5 Comments
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 10771543
output on restore to diff computer:

iptables-restore: line 1 failed
0
 
LVL 7

Expert Comment

by:troopern
ID: 10772471
it probably finds errors with this: ":input ACCPET"

Try removing the first three lines. Since they seem to have nothing to do with your chains.
probably iptables-import freaks out on the starting ":" in these three lines.
either remove them or use "#" instead of ":" for commenting out lines.
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 10772484
I tried that and It did not work.


-Brian
0
 
LVL 4

Expert Comment

by:oumer
ID: 10772607
what I will do is translate the ipchains commands into iptables, and then use ipsave

1.A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -l -y
becomes (as far as I know you can't use multiple target in one command)

iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 --syn -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 --syn -j LOG

2.-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
becomes

iptables -t nat -A POSTROUTING -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQUERADE

3. -A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ

iptables -t nat -A POSTROUTING -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQUERADE

4. -A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
5. -A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
6.-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 6 -j MASQ
7.-A forward -s 192.168.158.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -p 17 -j MASQ
8.-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
9.-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
(4-9 similar to 3 follow the same strategy)

10.-A output -s 192.168.1.16/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT -l -y
iptables -A OUTPUT -s 192.168.1.16/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.16/255.255.255.0 -d 0.0.0.0/0.0.0.0 --syn -j LOG

then use iptables-save > iptables_save_file.txt to save the new rules.

I don't think it is that easy to write a script that does this automatically, but I think if you are going to convert a lot of such files, it might worth a try. Just try to look into the iptables and ipcahins man pages for comparision of the commands, tables and targets
0
 
LVL 1

Accepted Solution

by:
hhelmich earned 500 total points
ID: 10790733
I agree with oumer, there is no easy translation between ipchains and iptables.  Also, you must turnoff ipchains before iptables will work.

service ipchains stop or /etc/init.d/ipchains stop
serivce iptables start or /etc/init.d/iptables start

or, distribution equivalent.

Also, you should update config using chkconfig.

chkconfig -level 345 ipchains off
chkconfig -level 345 iptables on

Hope that helps.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this tutorial I will explain how to make squid prevent malwares in five easy steps: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now