Slashdot Mirror

← Back to Stories (view on slashdot.org)

Migrating from IPChains to Netfilters?

Posted by Cliff on from the upgrading-those-firewalls dept.

lodn asks: "I've been using a Linux gateway for some time now. It's a simple kernel 2.2.18 install with IP forwarding. Thanks to the great HOWTO on IPchains I was able to configure it with no problems. Now I'd like to upgrade to kernel 2.4, however I have not been able to find a HOWTO for Netfilters! Does anyone know where such can be found?" Anyone know of any IPchain-to-Netfilter migration utilities? I must admit, I haven't been able to find much information about Netfilter usage either when I went looking into 2.4, however my firewall is also still 2.2. Time to upgrade, methinks.

28 comments

  1. Easy. by Captain+Pedantic · · Score: 1, Informative

    This is a helpful page, as is this one. There probably isn't a tool to convert from one to the other, but Firestarter is handy to create firewalls. Any more questions?

    (PS. posting first is irrelevant in these quiet sections.)

    --

    None are more hopelessly enslaved than those who falsely believe they are free. Johann Wolfgang von Goethe.
  2. There is a HOWTO for netfilter by kyz · · Score: 5, Informative

    I have not been able to find a HOWTO for Netfilters!

    There is a HOWTO for netfilter. It's at http://netfilter.samba.org/unreliable-guides/, and it's called the Linux 2.4 Packet Filtering HOWTO. Also look at the Linux 2.4 NAT HOWTO while you're there.

    --
    Does my bum look big in this?
  3. Did you try... by Eivind · · Score: 5, Insightful

    Simply hitting Google and entering "netfilter howto" ?

    All of the top 5 hits are directly relevant, and 2 of them are to the "Linux 2.4 packet filtering howto" and the "Linux 2.4 NAT howto"

    *sigh* Another day, another totally unresearched "ask slashdot". You'd think the editors would bother spending 2 minutes checking if the question is trivial.

    1. Re:Did you try... by Howie · · Score: 2, Funny

      You'd think the editors would bother spending 2 minutes checking if the question is trivial.

      Why would you think that? They typically don't appear to read the linked-to stories submitted before making glib and inaccurate comments, so why should 'Ask Slashdot' get special treatment? You must be mistaking this place for a source of reliable information.

      --
      "don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
    2. Re:Did you try... by cymen · · Score: 2

      Why would you think that? They typically don't appear to read the linked-to stories submitted before making glib and inaccurate comments, so why should 'Ask Slashdot' get special treatment? You must be mistaking this place for a source of reliable information.

      Hey, quit shattering the illusion!

  4. Conversion is a bad idea by MadCamel · · Score: 1

    Directly converting your ipchains rulesets to ipchains isn't such a good
    idea. Iptables/netfilter is *much* more flexible, and chances are, you
    can cut your ruleset in half *with* added security. Personaly, I find
    it's stateful features, and ability to match "related" packets quite
    useful. My firewall machine used to run 2.2/ipchains, and my ruleset was
    about 60 lines long, with iptables/netfilter it is less than 20, and is
    much easier to maintain.

    1. Re:Conversion is a bad idea by MadCamel · · Score: 1

      ipchains to ipchains? Man, I have to lay off the latte.. ipchains to iptables/netfilter :)

  5. Reason by dago · · Score: 4, Funny

    In order to avoid psychological problems and other traumatisms, US Authorities have decided to ban the word 'Down' due to mottos like 'another plane down'.

    Unfortunately, the key 'Page Down' has been removed from all keyboards in united states and moreover, users cannot 'Scroll Down'.

    As the link to the HOWTO is not at hte top of the netfilter homepage, it is not possible for users in the US to reach it.

    --
    #include "coucou.h"
  6. Search freshmeat.net by LinuxGeek8 · · Score: 3, Informative

    In the Howto's only the basics are mentioned.
    In the manpage, lots of options are explained.
    For examples you will want to search freshmeat.net.

    A few of my bookmarks:
    http://www.lysator.liu.se
    http://64.39.18.129
    http://www.linuxsecurity.com

    And some example scripts you might not find on freshmeat.net:
    http://nerdfest.org
    http://chaosmongers.org

    --
    Well, don't worry about that. We can get you back before you leave. (Dr. Who)
  7. It was a silly question... by Sam+Lowry · · Score: 2, Insightful

    1. IP-Masquerading HOWTO is the promary source of information, not IP-Chains HOWTO.

    2. Netfilter emulates ipchains and ipfwadm. There is no need to rewrite the rules.

    1. Re:It was a silly question... by LinuxGeek8 · · Score: 2, Informative

      Sorry, but you're wrong.

      1. The IP-Masquerading howto does ipmasquerading on a 2.2 (and 2.0?) kernel.
      Kernel 2.4 does full NAT, therefore it's called the NAT howto.
      I don't know if the two howto's about iptables have appeared on www.linuxdoc.org yet, but it is about time they are.

      2. Netfilter does not emulate ipchains or ipfwadm.
      It is a replacement of them. Allthough you can configure your kernel for ipchains or ipfwadm support.

      Netfilter does things rather different.
      The chains are more seperate. For example when you want to allow a packet over the forward chain, you had to open the input and output chain also in ipchains.
      With iptables you only have to open the forward chain, and the packet doesn't travel over the input and output chains.
      This is a more flexible approach. You can now close the firewall box completely, and only allow an ssh login from one or two local clients, while you still can allow forwards from local and remote hosts.

      Also it's statefull. It does connection tracking. This means you can drop all incoming connections to your local user ports (1024-65535), and accept outgoing new connections, and then specify with the --state options to allow related and established connections to come in.
      That way, the connections you open yourself are actually still working.

      So sure, you can rewrite your ipchains or ipfwadm rules.
      But you'll miss out on a lot of security and maintainability features.

      The only real reason against iptables can be that it is still fairly new compared to ipchains and ipfwadm, and so you can assume all the security issues are allready fixed in those.
      The last security fix in iptables is from March this year, in kernel 2.4.3, in the ip_conntrack_ftp module.

      --
      Well, don't worry about that. We can get you back before you leave. (Dr. Who)
  8. IpTables/Netfilter article by lwbecker2 · · Score: 1

    This months SysAdmin magazine has an article on Netfilter. Link to article

  9. well... by jbridge21 · · Score: 4, Insightful

    What I did is simply use the ipchains support that is present in the 2.4 kernel, and use my existing ruleset. Works like a charm. When I feel the need, THEN I can rewrite it specifically for iptables. But for now, why bother?

    1. Re:well... by TheEnglishman · · Score: 1

      Why bother?

      Well, if you've got a few minutes on your hands, then taking a look at the stateful capabilities of IPTables/Netfilter over IPChains might be time well spent.

      Be aware that the IPChains support in the 2.4 kernels is only a compatiblity layer over the top of netfilter, and in some cases will not just allow you to drop in your existing IPChains ruleset with some work.

      I found it trival to rewrite my IPChains ruleset to use IPTables (including some stateful stuff) with the help of Rusty Russell's Unreliable Guides (as already mentioned: see netfilter.samba.org for everything worth knowing about Netfilter.)

      man iptable is your friend.

  10. man iptables by Leknor · · Score: 3, Insightful

    I struggled with the conversion too and on a fluke I tried `man iptables`. There are diference but from the admin's point of view it's mostly syntax.

    Here is what I suggest: Get a list of your ipchains, preferablye the command lines. Then view/print the iptables man page then one by one write the new iptables command lines. It isn't that hard and you'll learn a bit.

  11. Bastille Firewall Project by uslinux.net · · Score: 2, Informative

    Get the bastille firewall toolkit. You can configure your rules by editing one very well documented file, and it can generate the rulesets for IPChains or IPTables (depending on your kernel version). It's available at:

    http://www.tux.org/~peterw/#fwall

    I've used it for IPChains and then migrated right to IPTables - it does a great job, IMO (well, none of the systems I've configured it on have been hacked, so I suppose that's a good sign). You may still want to review the rules once it's complete, but it's an excellent starting point

  12. Pardon me for being blind as a bat... by Bake · · Score: 1

    ... but where's the negative side to all this? The one that makes you say conversion is a bad idea?

    1. Re:Pardon me for being blind as a bat... by MadCamel · · Score: 1

      Well, perhaps not a *bad* idea, just not the *best* way to do it, after all, less rules are much easier to manage :)

  13. gShield by sharkey · · Score: 2

    Slightly OT, since I didn't upgrade, but rolled a new firewall into service. gShield is very nice for configuring your ruleset. It uses a configuration file that is very easy to read, and very well commented.

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  14. try http://netfilter.filewatcher.org/ by josepha48 · · Score: 4, Informative
    It is really easy.

    iptables -L will list the tables in the default chain. Then there is iptables -L -t nat and iptables -l -t mangle

    The best guide I found was http://netfilter.filewatcher.org/unreliable-guides /packet-filtering-HOWTO/index.html

    This explains how packet travers the filters which I though was easier than ipchains to learn. It also talks about using the ipchains module in 2.4 which means you can upgrade you kernel and keep your old firewall rules. It also goes over some of the basic options. This guide is mainly geared for using ip masquarading or now know as nat, but it is a great place to start. Also pick up a copy of last months Linux journal as they had an article on iptables.

    However I must warn you that once you go to iptables you may find it difficult to want to ever think of ipchains again. I know I do.

    --

    Only 'flamers' flame!

  15. http://www.linuxguruz.org/iptables/ by Anonymous Coward · · Score: 1, Informative

    http://www.linuxguruz.org/iptables/

  16. Advanced firewalls and routing using Linux by bruckie · · Score: 1

    Fedor G. Pikus, a member of the Portland Linux Unix Group, gave an excellent presentation on 1 Nov that's basically a detailed, step-by-step guide to creating an iptables-based firewall.

    The slides are available on his site.

    --Bruce

    --
    There are 10 kinds of people in the world: those who understand binary, and those who don't.
  17. Can Netfilter do... by cymen · · Score: 2

    I've heard rumors that with Netfilter you can have a firewall+NAT that allows external people to FTP in? Is that true? Something about stateless? I know this is possible with ipfilter but it is a pain in the ass. Would this also allow other programs that need to get in from the outside like certain instant messenger clients work?

    That's the kind of stuff that is interesting...

    1. Re:Can Netfilter do... by LinuxGeek8 · · Score: 2, Informative

      I don't know about instant messengers. I assume it needs portforwarding (every connection to a certain port gets forwarded directly to a local machine), but i dunno if that's the case.

      And yes, the kernelmodule ip_conntrack_ftp does do what you are asking.
      It's called statefull.
      When someone connects on port 21 of my ftp server, he can do a passive or an active dataconnection, whichever he chooses, and the connection tracking tracks it all.
      Even on a forwarded port, where the ftp server is behind the firewall, it gets forwarded without any problem afaik.

      Just keep one thing in mind with ftp connection tracking; you need to use a kernel newer then 2.4.3, because earlier versions had a security issue, where you could connect to an ftp port, and within a few seconds you could connect to, say an ssh port. But this is the one and only real issue there is with it.
      Also, afaik, the irc-dcc conntrack module is not in the vanilla kernel and is only available as a patch.

      And yes, ftp conntrack is neat :)

      --
      Well, don't worry about that. We can get you back before you leave. (Dr. Who)
  18. Bastille Linux Webpage by ctar · · Score: 0, Redundant

    Bastille Linux's Webpage has a nice 2.4 Netfilter Firewalling document... I also used this GUI which can create rulesets for ipchains and iptables/netfilter. And, yes, if you upgrade your kernel to 2.4, netfilter can still read your ipchains rulesets, so its not necessary to immediately rewrite your rulesets for ipchains/netfilter.

  19. Re:Ooops. by TheEnglishman · · Score: 1

    Slight mistake - should read:

    Be aware that the IPChains support in the 2.4 kernels is only a compatiblity layer over the top of netfilter, and in some cases will not just allow you to drop in your existing IPChains ruleset without doing some work.