Re: Equivalence between ipchains and iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On January 6, 2004 06:43 pm, Ricardo Mostalac wrote:
> Hello folks, a few weeks ago I chain my box from rh7.3
> to rh9. I have some problems with the firewall, before
> I have installed "ipchains" and now I work with
> "iptables".
>
> Someone in the list can help me with an equivalence?
>
> In "ipchains" I have this lines:
>
> ipchains -F forward
> ipchains -P forward DENY
> ipchains -A -i ppp0 -s 192.168.0.0/24 -d 0.0.0.0/0 -j
> MASQ
> ipchains -A -l -s 0.0.0.0/0 -d 0.0.0.0/0 -j REJECT
>
> I'm try to rewrite this rules in tptables but I cannot
> make work.....
>
> How can I do to translate this rules in ipchains to
> iptables?
>
>
>
> =====
> Saludos desde México
>
> RAML

Hi Ricardo,
There are only a few big differences between the two as far as rules go. There 
is a section in the iptables man page on "COMPATIBILITY WITH IPCHAINS".

Main things:
 DENY has been changed to DROP
 you don't need to use INPUT or OUPUT rules on a FORWARDed packet. 
 -i is in the interface and -o is out the interface
 Masquerading is done via a postrouting chain (example below)

My outbound masq chain is:
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $LAN_RANGE -j MASQUERADE
Then to allow all lan traffic out as a masq ip:
$IPTABLES -A FORWARD -i $LAN_IF -s $LAN_RANGE  -j ACCEPT

So your looking at something like:
$IPTABLES -A POSTROUTING -t nat -o ppp0 -s 192.168.0.0/24  -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IF -s $LAN_RANGE  -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit -j LOG --log-prefix "NetF FORWARD CHAIN: "
$IPTABLES -A FORWARD -j DROP

That will allow all your lan machines to be forwarded thru the firewall and 
out ppp0 as with IP masquerading. It allows all ongoing connectiions. Any 
other Forward Chain attemps would be logged and dropped (there would normally 
be a bunch more rules of course depending on what your doing.

There are lots of added features so you should have a good look at the man 
page and also visit http://www.netfilter.org/

(I haven't looked at ipchains in quite a while but your rules listed above are 
missing the chain name so they look broken for ipchains as well, no?)
-- 
Pete Nesbitt, rhce


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux