Migrating from IPChains to Netfilters? 28
lodn asks: "I've been using a Linux gateway for some time now. It's a simple kernel 2.2.18 install with IP forwarding. Thanks to the great HOWTO on IPchains I was able to configure it with no problems. Now I'd like to upgrade to kernel 2.4, however I have not been able to find a HOWTO for Netfilters! Does anyone know where such can be found?" Anyone know of any IPchain-to-Netfilter migration utilities? I must admit, I haven't been able to find much information about Netfilter usage either when I went looking into 2.4, however my firewall is also still 2.2. Time to upgrade, methinks.
Easy. (Score:1, Informative)
(PS. posting first is irrelevant in these quiet sections.)
There is a HOWTO for netfilter (Score:5, Informative)
There is a HOWTO for netfilter. It's at http://netfilter.samba.org/unreliable-guides/ [samba.org], and it's called the Linux 2.4 Packet Filtering HOWTO. Also look at the Linux 2.4 NAT HOWTO while you're there.
Did you try... (Score:5, Insightful)
All of the top 5 hits are directly relevant, and 2 of them are to the "Linux 2.4 packet filtering howto" and the "Linux 2.4 NAT howto"
*sigh* Another day, another totally unresearched "ask slashdot". You'd think the editors would bother spending 2 minutes checking if the question is trivial.
Re:Did you try... (Score:2, Funny)
Why would you think that? They typically don't appear to read the linked-to stories submitted before making glib and inaccurate comments, so why should 'Ask Slashdot' get special treatment? You must be mistaking this place for a source of reliable information.
Re:Did you try... (Score:2)
Hey, quit shattering the illusion!
Conversion is a bad idea (Score:1)
idea. Iptables/netfilter is *much* more flexible, and chances are, you
can cut your ruleset in half *with* added security. Personaly, I find
it's stateful features, and ability to match "related" packets quite
useful. My firewall machine used to run 2.2/ipchains, and my ruleset was
about 60 lines long, with iptables/netfilter it is less than 20, and is
much easier to maintain.
Re:Conversion is a bad idea (Score:1)
Pardon me for being blind as a bat... (Score:1)
Re:Pardon me for being blind as a bat... (Score:1)
Reason (Score:4, Funny)
Unfortunately, the key 'Page Down' has been removed from all keyboards in united states and moreover, users cannot 'Scroll Down'.
As the link to the HOWTO is not at hte top of the netfilter homepage, it is not possible for users in the US to reach it.
Search freshmeat.net (Score:3, Informative)
In the manpage, lots of options are explained.
For examples you will want to search freshmeat.net.
A few of my bookmarks:
http://www.lysator.liu.se [lysator.liu.se]
http://64.39.18.129 [64.39.18.129]
http://www.linuxsecurity.com [linuxsecurity.com]
And some example scripts you might not find on freshmeat.net:
http://nerdfest.org [nerdfest.org]
http://chaosmongers.org [chaosmongers.org]
It was a silly question... (Score:2, Insightful)
2. Netfilter emulates ipchains and ipfwadm. There is no need to rewrite the rules.
Re:It was a silly question... (Score:2, Informative)
1. The IP-Masquerading howto does ipmasquerading on a 2.2 (and 2.0?) kernel.
Kernel 2.4 does full NAT, therefore it's called the NAT howto.
I don't know if the two howto's about iptables have appeared on www.linuxdoc.org yet, but it is about time they are.
2. Netfilter does not emulate ipchains or ipfwadm.
It is a replacement of them. Allthough you can configure your kernel for ipchains or ipfwadm support.
Netfilter does things rather different.
The chains are more seperate. For example when you want to allow a packet over the forward chain, you had to open the input and output chain also in ipchains.
With iptables you only have to open the forward chain, and the packet doesn't travel over the input and output chains.
This is a more flexible approach. You can now close the firewall box completely, and only allow an ssh login from one or two local clients, while you still can allow forwards from local and remote hosts.
Also it's statefull. It does connection tracking. This means you can drop all incoming connections to your local user ports (1024-65535), and accept outgoing new connections, and then specify with the --state options to allow related and established connections to come in.
That way, the connections you open yourself are actually still working.
So sure, you can rewrite your ipchains or ipfwadm rules.
But you'll miss out on a lot of security and maintainability features.
The only real reason against iptables can be that it is still fairly new compared to ipchains and ipfwadm, and so you can assume all the security issues are allready fixed in those.
The last security fix in iptables is from March this year, in kernel 2.4.3, in the ip_conntrack_ftp module.
IpTables/Netfilter article (Score:1)
well... (Score:4, Insightful)
Re:well... (Score:1)
Why bother?
Well, if you've got a few minutes on your hands, then taking a look at the stateful capabilities of IPTables/Netfilter over IPChains might be time well spent.
Be aware that the IPChains support in the 2.4 kernels is only a compatiblity layer over the top of netfilter, and in some cases will not just allow you to drop in your existing IPChains ruleset with some work.
I found it trival to rewrite my IPChains ruleset to use IPTables (including some stateful stuff) with the help of Rusty Russell's Unreliable Guides (as already mentioned: see netfilter.samba.org [samba.org] for everything worth knowing about Netfilter.)
man iptable is your friend.
Re:Ooops. (Score:1)
Slight mistake - should read:
man iptables (Score:3, Insightful)
I struggled with the conversion too and on a fluke I tried `man iptables`. There are diference but from the admin's point of view it's mostly syntax.
Here is what I suggest: Get a list of your ipchains, preferablye the command lines. Then view/print the iptables man page then one by one write the new iptables command lines. It isn't that hard and you'll learn a bit.
Bastille Firewall Project (Score:2, Informative)
http://www.tux.org/~peterw/#fwall
I've used it for IPChains and then migrated right to IPTables - it does a great job, IMO (well, none of the systems I've configured it on have been hacked, so I suppose that's a good sign). You may still want to review the rules once it's complete, but it's an excellent starting point
gShield (Score:2)
try http://netfilter.filewatcher.org/ (Score:4, Informative)
iptables -L will list the tables in the default chain. Then there is iptables -L -t nat and iptables -l -t mangle
The best guide I found was http://netfilter.filewatcher.org/unreliable-guides /packet-filtering-HOWTO/index.html [filewatcher.org]
This explains how packet travers the filters which I though was easier than ipchains to learn. It also talks about using the ipchains module in 2.4 which means you can upgrade you kernel and keep your old firewall rules. It also goes over some of the basic options. This guide is mainly geared for using ip masquarading or now know as nat, but it is a great place to start. Also pick up a copy of last months Linux journal as they had an article on iptables.
However I must warn you that once you go to iptables you may find it difficult to want to ever think of ipchains again. I know I do.
http://www.linuxguruz.org/iptables/ (Score:1, Informative)
Advanced firewalls and routing using Linux (Score:1)
Fedor G. Pikus, a member of the Portland Linux Unix Group [pdxlinux.org], gave an excellent presentation on 1 Nov that's basically a detailed, step-by-step guide to creating an iptables-based firewall.
The slides are available [pikus.net] on his site.
--Bruce
Can Netfilter do... (Score:2)
That's the kind of stuff that is interesting...
Re:Can Netfilter do... (Score:2, Informative)
And yes, the kernelmodule ip_conntrack_ftp does do what you are asking.
It's called statefull.
When someone connects on port 21 of my ftp server, he can do a passive or an active dataconnection, whichever he chooses, and the connection tracking tracks it all.
Even on a forwarded port, where the ftp server is behind the firewall, it gets forwarded without any problem afaik.
Just keep one thing in mind with ftp connection tracking; you need to use a kernel newer then 2.4.3, because earlier versions had a security issue, where you could connect to an ftp port, and within a few seconds you could connect to, say an ssh port. But this is the one and only real issue there is with it.
Also, afaik, the irc-dcc conntrack module is not in the vanilla kernel and is only available as a patch.
And yes, ftp conntrack is neat