ipchains to iptables

Sun, 21 Apr 2002 14:35:13 -0700

Ladies and Gents,

    Would someone be kind enough to help me with my problem.  I have to manage several firewalls.  Is there any quick tools online to automatically transfer ipchains rules to iptables?  I doubt so, but I might as well ask.  I'm pretty sure there's software out there that learns your network connections, I forget what its called.  I've included my ipchains rules so you can see why its a pain transferring them all.

    If someone is willing to help me out switching these, that would be great,

 

 

Thanks for your help,

 

 

wanip=216.85.34.43
lanip=10.0.0.8
server3=10.0.0.3
server2=10.0.0.2
server1=10.0.0.1
dnsserver=216.85.34.45

 

# Load all required IP MASQ modules
#
#   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ modules
#          are shown below but are commented out from loading.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP.  Without this module,
#       RealAudio WILL function but in TCP mode.  This can cause a reduction
#       in sound quality
#
#/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc



# Set the location of ipchains and vars.
IPCHAINS="/sbin/ipchains"

echo -n "Flushing all rulesets.."

$IPCHAINS -X
echo -n "."

# flushing all chains ..
$IPCHAINS -F  
echo -n "."

# clear portforwarding rules ...
ipmasqadm portfw -f
echo -n "."

echo "Done!"
#
# ------
# IP Spoof protections ...
 if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then              
     for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
     echo 1 > $i
     done
 fi


# SYN Flood protection ...
if [ -e  /proc/sys/net/ipv4/tcp_syncookies ] ; then
     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# Blocking ALL ICMP echo requests ...
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
     echo 0 > $i
     done

# Disable Source Routed Packets
#for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
#
#  echo 0 > $i
#
#done

# Starting IP Fragment Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Starting IP ICMP Broadcast Echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Starting IP Bogus Error Response Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Done!"

## ------
## Port Forwarding ----

# Used for portforwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Rule sets
ipmasqadm portfw -a -P tcp -L $wanip 1494 -R $server2 1494
ipmasqadm portfw -a -P tcp -L $wanip 1450 -R $server2 1450
ipmasqadm portfw -a -P tcp -L $wanip 1495 -R $server3 1494
ipmasqadm portfw -a -P tcp -L $wanip 25 -R $server1 25
ipmasqadm portfw -a -P tcp -L $wanip 3389 -R $server2 3389


## Illegal Private IPs ------
## Just in case someone wants in with an invalid IP ...
## Private IPs:
#10.0.0.0/8   
#172.16.0.0/12
#192.168.0.0/16
## We should never see these non-routable IPs over the WAN iface.
## We'll log this stuff too ...

echo -n "Illegal IPs.."

# $IPCHAINS -l -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j DENY
 $IPCHAINS -l -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j DENY
 $IPCHAINS -l -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j DENY
 $IPCHAINS -l -A input -i etho -s 127.0.0.0/8 -d 0/0 -j DENY

echo -n "."
echo "Done!"
## ------

# Allow for Outgoing FTP connections
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $wanip 20  -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d $wanip 20  -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $wanip 21  -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d $wanip 21  -j ACCEPT
#/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $lanip 20  -i eth1 -j ACCEPT
#/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d $lanip 20  -i eth1 -j ACCEPT
#/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $lanip 21  -i eth1 -j ACCEPT
#/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d $lanip 21  -i eth1 -j ACCEPT

# Allow SMTP sending and logcheck to email reports
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 smtp -d $wanip 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $wanip 25 -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 smtp -d $lanip 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d $lanip 25 -j ACCEPT

# Open these ports for portsentry to have a hole to catch someone
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 1 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 23 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 43 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 79 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 139 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 389 -j ACCEPT
/sbin/ipchains -A input -p TCP -s 0.0.0.0/0 -d $wanip 556 -j ACCEPT
/sbin/ipchains -A input -p UDP -s 0.0.0.0/0 -d $wanip 139 -j ACCEPT
/sbin/ipchains -A input -p UDP -s 0.0.0.0/0 -d $wanip 389 -j ACCEPT

# Allow DNS access
/sbin/ipchains -A input -p tcp -s $dnsserver domain -d $wanip  1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d  $wanip 1024: -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d  $wanip 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d  $wanip domain -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d  $wanip domain -j ACCEPT
/sbin/ipchains -A input -p tcp -s $dnsserver domain -d $lanip  1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d  $lanip 1024: -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d  $lanip 1024: -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d  $lanip domain -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d  $lanip domain -j ACCEPT

# Allow incoming ICMP
/sbin/ipchains -A input -p icmp -s 0.0.0.0/0 -d $wanip -j ACCEPT
/sbin/ipchains -A input -p icmp -s 0.0.0.0/0 -d $lanip -j ACCEPT

# Allow SSH from anywhere
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d  $wanip  ssh -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d  $wanip ssh -j ACCEPT
/sbin/ipchains -A input -p tcp -s 0.0.0.0/0 -d  $lanip ssh -j ACCEPT
/sbin/ipchains -A input -p udp -s 0.0.0.0/0 -d  $lanip ssh -j ACCEPT



# Allow BB
/sbin/ipchains -A input -p tcp -s $dnsserver 1984 -d $wanip -j ACCEPT

# Deny MSN Gaming Zone for the damn secretaries.

/sbin/ipchains -A input -p tcp -s 207.46.172.0/0 -d $wanip -j DENY
/sbin/ipchains -A input -p tcp -s 207.46.173.0/0 -d $wanip -j DENY
/sbin/ipchains -A input -p udp -s 207.46.172.0/0 -d $wanip -j DENY
/sbin/ipchains -A input -p udp -s 207.46.173.0/0 -d $wanip -j DENY
/sbin/ipchains -A input -p tcp -s 207.46.172.62 -d $wanip -j DENY
/sbin/ipchains -A input -p tcp -s 207.46.173.62 -d $wanip -j DENY
/sbin/ipchains -A input -p udp -s 207.46.172.62 -d $wanip -j DENY
/sbin/ipchains -A input -p udp -s 207.46.173.62 -d $wanip -j DENY
/sbin/ipchains -A output -p tcp -d 207.46.172.0/24 -j DENY
/sbin/ipchains -A output -p tcp -d 207.46.173.0/24 -j DENY
/sbin/ipchains -A output -p udp -d 207.46.172.0/24 -j DENY
/sbin/ipchains -A output -p udp -d 207.46.173.0/24 -j DENY

# Allow Masqurading from internal interface to external
/sbin/ipchains -A forward -p all -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth0 -j MASQ

# Start by denying all and logging all tcp traffic denies
 /sbin/ipchains -A input -p udp -s 0.0.0.0/0 -i eth0 -j DENY
 /sbin/ipchains -A input -s 0.0.0.0/0 -i eth0 -j DENY -l

# Save the ipchains
/etc/rc.d/init.d/ipchains save

 
 
 
 
Vasiliy Boulytchev

Reply via email to