Up one level
README.ipchains2iptables 3098 Sep 6 1999
README.ipfwadm2ipchains.html 3272 Nov 4 2001
dotfile-prep 2679 May 10 1999
dotfile-prep-0.1.0 2825 May 8 1999
dotfile-prep-0.1.1 2679 May 10 1999
favicon.ico 20 Aug 28 2005
filelist.html
index.html
internal-gopher-menu 29 Aug 28 2005
internal-gopher-unknown 32 Aug 28 2005
ipchains2iptables 38656 Sep 22 2004
ipchains2iptables.README 24 Aug 28 2005
ipchains2iptables.v0.5.0 38501 Sep 11 1999
ipchains2iptables.v0.5.1 38449 Sep 13 1999
ipchains2iptables.v0.6.0 38547 Nov 27 2000
ipchains2iptables.v0.6.1 38844 May 9 2002
ipchains2iptables.v0.6.2 38656 Sep 22 2004
ipfwadm2ipchains 9839 May 10 1999
ipfwadm2ipchains-0.5.0 10006 May 2 1999
ipfwadm2ipchains-0.5.1 10057 May 10 1999
ipfwadm2ipchains-0.5.2 9839 May 10 1999

README.ipchains2iptables

        ipchains2iptables, V0.5.0, is available for test.  The tool takes
an existing file of ipchains rules and creates a file of the equivalent
iptables rules.  For those that already have an ipchains firewall created,
this will allow you to try out the new netfilter/iptables code without
having to re-create your firewall on it.
        The file is available at
ftp://slartibartfast.pa.net/pub/i2i/

        It's just a single executable shell script.  Sample run:
cat ipchains_rulefile | ipchains2iptables >iptables_rulefile

        If you're still using ipfwadm, try:
cat ipfwadm_rulefile | ipfwadm2ipchains | ipchains2iptables >iptables_rulefile

"ipchains2iptables -h" provides this summary.  Make sure you have all
your local interfaces up before running.  If they're not (perhaps you're
running this on another system), do the following before running:

export LOCALIPS="`ifconfig | grep 'inet addr' | awk '{print $2}' | \
sed -e 's/.*://'` another-local-ip  \${ppp0ADDR}" ; export LOCALIPS

        This is crucial; i2i must be able to identify all the ways you
refer to a local IP in your ipchains file or it will incorrectly convert
rules.

        Known issues:
- i2i doesn't list all of the needed modules yet.  Not a big deal; they're
probably autoloaded anyways.
- I don't know how to convert -J REDIRECT; _is_ there an iptables
equivalent?  My best read on the documentation is that there isn't.
- It's not clear whether -m (mark packet with number) is a removed feature
or a "planned but currently unimplemented" feature.  I'd love to put in a
bid for the latter; Mason uses it to match up rules in a file with rules
in a running firewall in the process of adding packet counts to the rule
file.
- The ipchains "-o" (Copy matching packets to the userspace device) is not
converted.  Should this be replaced by an additional "-j QUEUE" rule?
- While I've done my best job to figure out all the conversions, it's not
possible to be 100% sure of these and come up with a perfect replacement
for the ipchains rule as some information is missing.  For example,
ipchains rules only have the input interface on forwarding rules; iptables
allow you to specify input and output interfaces.  You should read over
the output and especially look at the comments following "###" on each
line. 
- You may come up with multiple rules for a given packet.  This is because
ipchains' input, output, and forward rules for non-local packets all
become forward rules in iptables.  After the conversion, you may end up
with almost identical triplets that can be pared down by hand.


        I would sincerely appreciate feedback on whether this tool
correctly converts your rules.  I'd also appreciate it if someone could
double check the logic I used in converting the ipchains srcip, destip,
and chain to the iptables chain and interfaces (search for "Chain and
interface conversion logic", a readable table, around line 620).
        I expect to release this to freshmeat in a few weeks once I've got
a little documentation and at least a README.

	- William Stearns <wstearns@pobox.com>, 9/6/99

README.ipfwadm2ipchains.html

Main section

This is the ipfwadm2ipchains script, designed to convert ipfwadm rulesets into ipchains rulesets. Simply feed it your ipfwadm rules via stdin and it will print out the corresponding ipchains rules.

For example, here's our example ipfwadm firewall, stored in rust.examples:

#!/bin/bash
ipfwadm -F  -p deny
ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
ipfwadm -I -a accept -V 10.1.2.1 -S 10.0.0.0/8 -D 0.0.0.0/0

Process it with ipfwadm2ipchains, like so:

cat rust.examples | ipfwadm2ipchains >rust.ipchains

and you get the output file rust.ipchains:

#!/bin/bash
ipchains -P forward DENY
ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0
ipchains -A input -j ACCEPT -i eth0 -s 10.0.0.0/8 -d 0.0.0.0/0

Neat trick

Make a file called new_rules and place the following lines in it:

if [ -f /proc/net/ip_fwchains ]; then
The contents of your new ipchains ruleset file
elif [ -f /proc/net/ip_input ]; then
The contents of your original ipfwadm ruleset file
fi

This new combined file will work under both an ipchains and an ipfwadm kernel.

Known issues

Download

For a complete list of all files, see filelist.html.

To download one of the following, right click on it and choose "Save link as..." or something like that. /usr/bin/ might be an appropriate place for it.

ipfwadm2ipchains (the latest version).

Version 0.5.2. 0.5.2 handles blank lines in input correctly.

Version 0.5.1. I made a mistake in 0.5.0 in the "Insert Rule" conversion by reversing the rule name and number.

Version 0.5.0.

This first release needs some testing; let me know what you find.

dotfile-prep. I wrote a small wrapper script for use with the ipfwadm dotfile generator. It's not really tested heavily as I don't use that program.

Feedback

If you have suggestions or questions, please email me at wstearns@pobox.com.

I'm especially interested in even brief success or failure reports.

Thanks

This program drew on the conversion table in Appendix A of the ipchains-HOWTO - Thanks, Rusty.

Other tools

Mason, the automatic firewall builder, Buildkernel, the automated tool for building Linux kernels.

Best viewed with something that can show web pages... <grin>


The files in this collection are part of William Stearns' software archive. If any of the links on this page do not work, you may be viewing an incomplete mirror. There is a complete list of the mirror sites at the starting page for this mirror and at the primary mirror.


Generated Fri May 12 23:44:25 EDT 2006 by htmlfilelist version 0.8.4