Hi all, I've been lurking around this list for some time now. Finally speaking up. We're setting up a lab to research a migration strategy from CP FW-1 4.1 to iptables... Any suggestions/comments/scripts would be greatly welcomed. Heck, I may even smell a HOWTO in this... ;)
Thanks, Jim James Miller, Network Administrator Simutronics Corporation www.play.net 636.946.4263 x113 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew G. Marsh Sent: Tuesday, April 30, 2002 2:37 PM To: Moti Cc: netfilter Subject: Re: A Script Syntax Question On Mon, 29 Apr 2002, Moti wrote: > Hi , > I'm moving our checkpoint firewall ( 4.1 ) to iptables and linux . > this alone is worth your comments ;-) .. > we have a lot of objects and i was thinking of a way to put them all in a > script . > i was wondering if anyone uses external files and loops for objects . > i think an example will be more efficent ( my english sucks .. ) > i have a file called internal_networks -> > cat internal_networks > > 192.168.0.0/24 > 192.168.1.0/24 > 192.168.2.0/24 > and so on > and the script has a loop > for net in `cat internal_networks` ;do > iptables -t nat -A PREROUTING -o eth0 -s $net -j MASQUARADE > done Do it all the time. I have one main config file that lists "objects" - in some cases these objects are actual such as 192.168.1.0/24 and in some cases virtual as in "/etc/sysconfig/myinternalnets.conf". Then I have several function files that contain functions to do the various stuff. FE: log_firewall() { [ ${FWLOG} -eq 0 ] && return 0 fwlog=0 while [ $fwlog -lt $FWLOG_HIGH ]; do for INT in `eval echo -n '$FWLOG_INT'$fwlog` ; do for PROTO in `eval echo -n '$FWLOG_PROTO'$fwlog`; do for PORTS in `eval echo -n '$FWLOG_PORTS'${fwlog}'_'${PROTO}`; do pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables -I \ acctfwd -i $INT -p $PROTO -s 0/0 -d 0/0 --dport $PORTS - \ j LOG --log-prefix "In-$INT-Forward:" --log-tcp-sequence \ --log-tcp-options --log-ip-options --log-level debug pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables \ -I acctin -p $PROTO -s 0/0 -d 0/0 --dport $PORTS -j LOG \ --log-prefix "In-$INT-Forward:" --log-tcp-sequence \ --log-tcp-options --log-ip-options --log-level debug pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables -I \ acctout -p $PROTO -s 0/0 -d 0/0 --dport $PORTS -j LOG \ --log-prefix "In-$INT-Forward:" --log-tcp-sequence \ --log-tcp-options --log-ip-options --log-level debug done done done fwlog=$((fwlog+=1)) done } &>/dev/null Which does a triple loop over the variables FWLOG_INT, FWLOG_PROTO, and FWLOG_PORTS for each FWLOG_HIGH. These variables are coded in the firewall logging file as in: # These define the packet logging for the interfaces. This is the standard # logging through iptables. FWLOG_HIGH=2 FWLOG_INT0=eth0 FWLOG_PROTO0="tcp udp" FWLOG_PORTS0_tcp="0:21 23:79 81:1023" FWLOG_PORTS0_udp="0:52 54:1023" FWLOG_INT1=eth1 FWLOG_PROTO1="tcp udp" FWLOG_PORTS1_tcp="0:21 23:79 81:1023" FWLOG_PORTS1_udp="0:52 54:1023" You get the picture... > will that be a good idea ? or would you recommend putting the vars n the > script and looping it ( e.g INTERNAL_NETS=`blah blah ` ) > thanks > Moti You could probably write a simple parser for the objects.C and your *.W files that generates most of the netfilter actions for you. I considered this a while ago but decided it was too much work. But if you did write a parser converter from FW-1 -> NetFilter that would be cool. -------------------------------------------------- Matthew G. Marsh, President Paktronix Systems LLC 1506 North 59th Street Omaha NE 68104 Phone: (402) 932-7250 x101 Email: [EMAIL PROTECTED] WWW: http://www.paktronix.com --------------------------------------------------
