Migrating from IPChains to Netfilters?

lodn asks: "I've been using a Linux gateway for some time now. It's a simple kernel 2.2.18 install with IP forwarding. Thanks to the great HOWTO on IPchains I was able to configure it with no problems. Now I'd like to upgrade to kernel 2.4, however I have not been able to find a HOWTO for Netfilters! Does anyone know where such can be found?" Anyone know of any IPchain-to-Netfilter migration utilities? I must admit, I haven't been able to find much information about Netfilter usage either when I went looking into 2.4, however my firewall is also still 2.2. Time to upgrade, methinks.

Easy.

[Captain+Pedantic]

This is a helpful page, as is this one. There probably isn't a tool to convert from one to the other, but Firestarter is handy to create firewalls. Any more questions?

(PS. posting first is irrelevant in these quiet sections.)

There is a HOWTO for netfilter

[kyz]

I have not been able to find a HOWTO for Netfilters!

There is a HOWTO for netfilter. It's at http://netfilter.samba.org/unreliable-guides/, and it's called the Linux 2.4 Packet Filtering HOWTO. Also look at the Linux 2.4 NAT HOWTO while you're there.

Search freshmeat.net

[LinuxGeek8]

In the Howto's only the basics are mentioned.
In the manpage, lots of options are explained.
For examples you will want to search freshmeat.net.

A few of my bookmarks:
http://www.lysator.liu.se
http://64.39.18.129
http://www.linuxsecurity.com

And some example scripts you might not find on freshmeat.net:
http://nerdfest.org
http://chaosmongers.org

Bastille Firewall Project

[uslinux.net]

Get the bastille firewall toolkit. You can configure your rules by editing one very well documented file, and it can generate the rulesets for IPChains or IPTables (depending on your kernel version). It's available at:

http://www.tux.org/~peterw/#fwall

I've used it for IPChains and then migrated right to IPTables - it does a great job, IMO (well, none of the systems I've configured it on have been hacked, so I suppose that's a good sign). You may still want to review the rules once it's complete, but it's an excellent starting point

try http://netfilter.filewatcher.org/

[josepha48]

It is really easy.

iptables -L will list the tables in the default chain. Then there is iptables -L -t nat and iptables -l -t mangle

The best guide I found was http://netfilter.filewatcher.org/unreliable-guides /packet-filtering-HOWTO/index.html

This explains how packet travers the filters which I though was easier than ipchains to learn. It also talks about using the ipchains module in 2.4 which means you can upgrade you kernel and keep your old firewall rules. It also goes over some of the basic options. This guide is mainly geared for using ip masquarading or now know as nat, but it is a great place to start. Also pick up a copy of last months Linux journal as they had an article on iptables.

However I must warn you that once you go to iptables you may find it difficult to want to ever think of ipchains again. I know I do.

http://www.linuxguruz.org/iptables/

http://www.linuxguruz.org/iptables/

Re:Can Netfilter do...

[LinuxGeek8]

I don't know about instant messengers. I assume it needs portforwarding (every connection to a certain port gets forwarded directly to a local machine), but i dunno if that's the case.

And yes, the kernelmodule ip_conntrack_ftp does do what you are asking.
It's called statefull.
When someone connects on port 21 of my ftp server, he can do a passive or an active dataconnection, whichever he chooses, and the connection tracking tracks it all.
Even on a forwarded port, where the ftp server is behind the firewall, it gets forwarded without any problem afaik.

Just keep one thing in mind with ftp connection tracking; you need to use a kernel newer then 2.4.3, because earlier versions had a security issue, where you could connect to an ftp port, and within a few seconds you could connect to, say an ssh port. But this is the one and only real issue there is with it.
Also, afaik, the irc-dcc conntrack module is not in the vanilla kernel and is only available as a patch.

And yes, ftp conntrack is neat :)

Re:It was a silly question...

[LinuxGeek8]

Sorry, but you're wrong.

1. The IP-Masquerading howto does ipmasquerading on a 2.2 (and 2.0?) kernel.
Kernel 2.4 does full NAT, therefore it's called the NAT howto.
I don't know if the two howto's about iptables have appeared on www.linuxdoc.org yet, but it is about time they are.

2. Netfilter does not emulate ipchains or ipfwadm.
It is a replacement of them. Allthough you can configure your kernel for ipchains or ipfwadm support.

Netfilter does things rather different.
The chains are more seperate. For example when you want to allow a packet over the forward chain, you had to open the input and output chain also in ipchains.
With iptables you only have to open the forward chain, and the packet doesn't travel over the input and output chains.
This is a more flexible approach. You can now close the firewall box completely, and only allow an ssh login from one or two local clients, while you still can allow forwards from local and remote hosts.

Also it's statefull. It does connection tracking. This means you can drop all incoming connections to your local user ports (1024-65535), and accept outgoing new connections, and then specify with the --state options to allow related and established connections to come in.
That way, the connections you open yourself are actually still working.

So sure, you can rewrite your ipchains or ipfwadm rules.
But you'll miss out on a lot of security and maintainability features.

The only real reason against iptables can be that it is still fairly new compared to ipchains and ipfwadm, and so you can assume all the security issues are allready fixed in those.
The last security fix in iptables is from March this year, in kernel 2.4.3, in the ip_conntrack_ftp module.