SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

ipchains2iptables, V0.5.0, is available for test. The tool takes an existing file of ipchains rules and creates a file of the equivalent iptables rules. For those that already have an ipchains firewall created, this will allow you to try out the new netfilter/iptables code without having to re-create your firewall on it.

The file is available at
ftp://slartibartfast.pa.net/pub/i2i/

It's just a single executable shell script. Sample run: cat ipchains_rulefile | ipchains2iptables >iptables_rulefile

If you're still using ipfwadm, try: cat ipfwadm_rulefile | ipfwadm2ipchains | ipchains2iptables >iptables_rulefile

"ipchains2iptables -h" provides this summary. Make sure you have all your local interfaces up before running. If they're not (perhaps you're running this on another system), do the following before running:

export LOCALIPS="`ifconfig | grep 'inet addr' | awk '{print $2}' | \ sed -e 's/.*://'` another-local-ip \${ppp0ADDR}" ; export LOCALIPS

This is crucial; i2i must be able to identify all the ways you refer to a local IP in your ipchains file or it will incorrectly convert rules.

Known issues:
- i2i doesn't list all of the needed modules yet. Not a big deal; they're probably autoloaded anyways.
- I don't know how to convert -J REDIRECT; is there an iptables equivalent? My best read on the documentation is that there isn't. - It's not clear whether -m (mark packet with number) is a removed feature or a "planned but currently unimplemented" feature. I'd love to put in a bid for the latter; Mason uses it to match up rules in a file with rules in a running firewall in the process of adding packet counts to the rule file.
- The ipchains "-o" (Copy matching packets to the userspace device) is not converted. Should this be replaced by an additional "-j QUEUE" rule? - While I've done my best job to figure out all the conversions, it's not possible to be 100% sure of these and come up with a perfect replacement for the ipchains rule as some information is missing. For example, ipchains rules only have the input interface on forwarding rules; iptables allow you to specify input and output interfaces. You should read over the output and especially look at the comments following "###" on each line.
- You may come up with multiple rules for a given packet. This is because ipchains' input, output, and forward rules for non-local packets all become forward rules in iptables. After the conversion, you may end up with almost identical triplets that can be pared down by hand.

I would sincerely appreciate feedback on whether this tool correctly converts your rules. I'd also appreciate it if someone could double check the logic I used in converting the ipchains srcip, destip, and chain to the iptables chain and interfaces (search for "Chain and interface conversion logic", a readable table, around line 620).

I expect to release this to freshmeat in a few weeks once I've got a little documentation and at least a README.


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.