ipchains2iptables, V0.5.0, is available for test. The tool takes an existing file of ipchains rules and creates a file of the equivalent iptables rules. For those that already have an ipchains firewall created, this will allow you to try out the new netfilter/iptables code without having to re-create your firewall on it. The file is available at ftp://slartibartfast.pa.net/pub/i2i/ It's just a single executable shell script. Sample run: cat ipchains_rulefile | ipchains2iptables >iptables_rulefile If you're still using ipfwadm, try: cat ipfwadm_rulefile | ipfwadm2ipchains | ipchains2iptables >iptables_rulefile "ipchains2iptables -h" provides this summary. Make sure you have all your local interfaces up before running. If they're not (perhaps you're running this on another system), do the following before running: export LOCALIPS="`ifconfig | grep 'inet addr' | awk '{print $2}' | \ sed -e 's/.*://'` another-local-ip \${ppp0ADDR}" ; export LOCALIPS This is crucial; i2i must be able to identify all the ways you refer to a local IP in your ipchains file or it will incorrectly convert rules. Known issues: - i2i doesn't list all of the needed modules yet. Not a big deal; they're probably autoloaded anyways. - I don't know how to convert -J REDIRECT; _is_ there an iptables equivalent? My best read on the documentation is that there isn't. - It's not clear whether -m (mark packet with number) is a removed feature or a "planned but currently unimplemented" feature. I'd love to put in a bid for the latter; Mason uses it to match up rules in a file with rules in a running firewall in the process of adding packet counts to the rule file. - The ipchains "-o" (Copy matching packets to the userspace device) is not converted. Should this be replaced by an additional "-j QUEUE" rule? - While I've done my best job to figure out all the conversions, it's not possible to be 100% sure of these and come up with a perfect replacement for the ipchains rule as some information is missing. For example, ipchains rules only have the input interface on forwarding rules; iptables allow you to specify input and output interfaces. You should read over the output and especially look at the comments following "###" on each line. - You may come up with multiple rules for a given packet. This is because ipchains' input, output, and forward rules for non-local packets all become forward rules in iptables. After the conversion, you may end up with almost identical triplets that can be pared down by hand. I would sincerely appreciate feedback on whether this tool correctly converts your rules. I'd also appreciate it if someone could double check the logic I used in converting the ipchains srcip, destip, and chain to the iptables chain and interfaces (search for "Chain and interface conversion logic", a readable table, around line 620). I expect to release this to freshmeat in a few weeks once I've got a little documentation and at least a README. - William Stearns , 9/6/99