iptables configuration
 

Hi All,
I'm having problem converting my Redhat Linux DSL 6.2 to Redhat Linux 9.0

The RH 6.2 uses kernel 2.2 while RH 9.0 uses kernel 2.4

this is my setup on redhat 6.2 using ipchains and i want to convert it into iptables.

#!/bin/sh
#
# rc.firewall
#
echo 1 > /proc/sys/net/ipv4/ip_forward

## Flush everything, start from scratch
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward


## Create your own chain
/sbin/ipchains -N good-bad
/sbin/ipchains -N bad-good
/sbin/ipchains -N icmp-acc

## Setup jumps from forward chains
/sbin/ipchains -A forward -s 10.0.5.0/24 -i ppp0 -j good-bad
/sbin/ipchains -A forward -i eth0 -j bad-good
/sbin/ipchains -A forward -j DENY -l

## Define the icmp-acc chain
/sbin/ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
/sbin/ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT

#############################################################################################
## Define good-to-bad chain allow POP3,DNS,PING,SENDMAIL to all, selective WWW ##
## ##
## General Rule for all users. DENY surfing. ##
## ##
## ##
#############################################################################################
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d 0/0 pop-3 -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d 0/0 smtp -j MASQ
/sbin/ipchains -A good-bad -p udp -s 0/0 -d 0/0 domain -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d 0/0 domain -j MASQ
/sbin/ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
/sbin/ipchains -A good-bad -p udp --dport 33434:33863 -j MASQ
/sbin/ipchains -A good-bad -p icmp -j icmp-acc

#############################################################################################
## ##
## Machine Specific Permissions ##
## ##
## ##
#############################################################################################
### Bay
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 telnet -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.53 -d 0/0 443 -j MASQ

### Bay
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 telnet -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.23 -d 0/0 443 -j MASQ

### Jeff
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 telnet -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.8 -d 0/0 443 -j MASQ

### Randy
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 telnet -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.34 -d 0/0 443 -j MASQ

### Ronald
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.35 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.35 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.35 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.35 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.35 -d 0/0 443 -j MASQ

## temporary remove by OCT 15, 2002
#/sbin/ipchains -A good-bad -p tcp -s 10.0.5.20 -d 0/0 www -j MASQ
#/sbin/ipchains -A good-bad -p tcp -s 10.0.5.20 -d 0/0 443 -j MASQ
#/sbin/ipchains -A good-bad -p udp -s 10.0.5.20 -d 0/0 443 -j MASQ
#/sbin/ipchains -A good-bad -p tcp -s 10.0.5.20 -d 0/0 ftp -j MASQ
#/sbin/ipchains -A good-bad -p tcp -s 10.0.5.20 -d 0/0 ftp-data -j MASQ


#############################################################################################
## ##
## Site Specific Rules ##
## ##
## ##
#############################################################################################

### adamas.com.ph
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.adamas.com.ph www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d cypress.he.net ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d cypress.he.net ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d cypress.he.net telnet -j MASQ

### r&d sites
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d java.sun.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.mysql.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.phpbuilder.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d developer.java.sun.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.pushlets.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d octopus.cdut.edu.cn www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.nscb.gov.ph www -j MASQ

### FIlter other services
###########################################################################
### YAHOO MESSENGER ###
###########################################################################



###########################################################################
### END YAHOO MESSENGER ###
###########################################################################

#############################################################################################
## Anything else, REJECT it ##
#############################################################################################
/sbin/ipchains -A good-bad -j REJECT -l


#############################################################################################
## ##
## Rules for incomming Traffic. ##
## ##
## ##
#############################################################################################
## Define bad-to-good chain DO NOT ALLOW ANYTHING
/sbin/ipchains -A bad-good -j REJECT -l

## Deny everything else
# /sbin/ipchains -P bad-good input DENY

HELP PLEASE!!!!

a good sed script would be useful here.

a few ideas for regexes:

s/ipchains/iptables/g
s/MASQ/MASQUERADE/g
s/forward/FORWARD/g


that much would eliminate a lot of keystrokes

from the looks of it, all u want that box to do is forward packets (router-like). If you dont want it to accept INPUT you would add the following to the top of the file somewhere:

/sbin/iptables -P INPUT DROP


and as a suggestion:

i'd use some variables in the script for easy editing:

IPTABLES="/sbin/iptables"

then everywhere u have /sbin/iptables u can use sed to change it to $IPTABLES. that way if by some chance u need to change the script or move it to a box that doesnt put iptables in /sbin (SuSE puts it in /usr/sbin/) then u'll only have to edit 1 line and not 50 lines.

the regex:

s/\/sbin\/iptables/\$IPTABLES/g

or on the original script

s/\/sbin\/ipchains/\$IPTABLES/g

i cant really run any scripts right now because im at work on a windows box and it seems all outgoing ssh isnt working here so i'd have to write an actual sed script later if u dont know any sed.

learn iptables...

Maquerading in iptables is different than what it was in ipchains.