TUCoPS :: Linux :: Discontinued
:: ipfwad.txt
ipfwadm2ipchains
The ipfwadm2ipchains script is designed to convert ipfwadm rulesets into ipchains rulesets. Simply feed it your
ipfwadm rules via stdin and it will print out the corresponding ipchains rules.
|
#!/bin/bash
#Copyright (c) 1999, William L. Stearns <wstearns@pobox.com>
#Released under the GPL.
#Credit goes to Paul 'Rusty' Russell's ipchains-howto, especially
#the conversion table in the appendix.
#Home page is at http://www.pobox.com/~wstearns/ipfwadm2ipchains/
#Version 0.5.0, first release, May 2, 1999
#Version 0.5.1, fixed -I parameter order, May 1999
#Version 0.5.2, handle blank input lines correctly, May 10, 1999
ACCOUNTINGPREPARED=''
echo "------------------------------------------------------------------" >/dev/stderr
echo "---- ipfwadm2ipchains rule converter ----" >/dev/stderr
echo "---- See http://www.pobox.com/~wstearns/ for more info on ----" >/dev/stderr
echo "---- this and Mason, the automatic firewall creator. ----" >/dev/stderr
echo "---- Copyright (c) 1999 William Stearns <wstearns@pobox.com> ----" >/dev/stderr
echo "---- Released under the GNU GPL. ----" >/dev/stderr
echo "------------------------------------------------------------------" >/dev/stderr
Fshift () {
F1=$F2 ; F2=$F3 ; F3=$F4 ; F4=$F5 ; F5=$F6
F6=$F7 ; F7=$F8 ; F8=$F9 ; F9=$F10 ; F10=$F11
F11=$F12 ; F12=$F13 ; F13=$F14 ; F14=$F15 ; F15=$F16
F16=$F17 ; F17=$F18 ; F18=$F19 ; F19=$F20 ; F20=$F21
F21=$F22 ; F22=$F23 ; F23=$F24 ; F24=$F25 ; F25=$F26
F26=$F27 ; F27=$F28 ; F28=$F29 ; F29=$F30 ; F30=$F31
F31=$F32 ; F32=$F33 ; F33=$F34 ; F34=$F35 ; F35=$F36
F36=$F37 ; F37=$F38 ; F38=$F39 ; F39=$F40 ; F40=$F41
F41=$F42 ; F42=$F43 ; F43=$F44 ; F44=$F45 ; F45=$F46
F46=$F47 ; F47=$F48 ; F48=$F49 ; F49=$F50 ; F50=$F51
F51=$F52 ; F52=$F53 ; F53=$F54 ; F54=$F55 ; F55=$F56
F56=$F57 ; F57=$F58 ; F58=$F59 ; F59=$F60 ; F60=''
}
SetupAccounting () {
if [ "$ACCOUNTINGPREPARED" != 'YES' ]; then
echo \#The following block may be used to initialize the
echo \#Accounting chains that must be explicitly prepared
echo \#in ipchains. The lines starting with \"/sbin/ipchains\"
echo \#should be uncommented and a single
echo \#copy of the block placed at the top of your firewall.
echo \#/sbin/ipchains -N acctin
echo \#/sbin/ipchains -N acctout
echo \#/sbin/ipchains -N acctio
echo \#/sbin/ipchains -I input 1 -j acctio
echo \#/sbin/ipchains -I input 1 -j acctin
echo \#/sbin/ipchains -I output 1 -j acctio
echo \#/sbin/ipchains -I output 1 -j acctout
ACCOUNTINGPREPARED='YES'
fi
}
if [ "$1" = '--help' ]; then
echo Usage: $0 [--help] >/dev/stderr
echo This program converts ipfwadm rules to ipchains rules. >/dev/stderr
echo Example of use: >/dev/stderr
echo >/dev/stderr
echo cat ipfwadm_rulefile \| ipfwadm2ipchains \>ipchains_rulefile >/dev/stderr
echo echo if [ -f /proc/net/ip_fwchains ]\; then \>\>new_rules >/dev/stderr
echo cat ipchains_rulefile \>\>new_rules >/dev/stderr
echo echo elif [ -f /proc/net/ip_input ]\; then \>\>new_rules >/dev/stderr
echo cat ipfwadm_rulefile \>\>new_rules >/dev/stderr
echo echo fi \>\>new_rules >/dev/stderr
echo >/dev/stderr
echo The new_rules file will now work on ipchains and ipfwadm kernels. >/dev/stderr
exit
fi
CHAINRULE='' ; NEXT='' ; MASQ='' ; COMMENT=''
SOURCEPORT='' ; DESTPORT='' ; ACCTDIR='both'
REDIR='' ; REDIRPORT=''
#Start of main loop. Read one ipfwadm rule for processing.
while read F1 F2 F3 F4 F5 F6 F7 F8 F9 F10 F11 F12 F13 F14 F15 F16 F17 F18 F19 F20 \
F21 F22 F23 F24 F25 F26 F27 F28 F29 F30 F31 F32 F33 F34 F35 F36 F37 F38 F39 F40 \
F41 F42 F43 F44 F45 F46 F47 F48 F49 F50 F51 F52 F53 F54 F55 F56 F57 F58 F59 F60 ; do #While there is another line of input
#Formerly [ -n "$F1" ] && in the above test
while [ -n "$F1" ]; do #While there is another field to process in this line
case "$F1" in
/sbin/ipfwadm)
CHAINRULE="$CHAINRULE /sbin/ipchains"
NEXT='' ;;
ipfwadm)
CHAINRULE="$CHAINRULE ipchains"
NEXT='' ;;
*/ipfwadm)
CHAINRULE="$CHAINRULE `echo $F1 | sed -e 's@/ipfwadm$@/ipchains@'`"
NEXT='' ;;
-A) #Create an accounting rule
SetupAccounting
CHAINRULE="$CHAINRULE -A ZZACCTDIRZZ"
NEXT='ACCTDIR' ;;
-F) #Forwarding rule
CHAIN='forward'
NEXT='' ;;
-I) #Input rule
CHAIN='input'
NEXT='' ;;
-O) #Output rule
CHAIN='output'
NEXT='' ;;
-M) #Masquerading administration (used for -l and -s)
CHAINRULE="$CHAINRULE -M"
NEXT='' ;;
-l) #List the rules in this chain
CHAINRULE="$CHAINRULE -L ZZCHAINZZ"
NEXT='' ;;
-s) #Set timeouts for masquerading
CHAINRULE="$CHAINRULE -S $F2 $F3 $F4" ; Fshift ; Fshift ; Fshift
NEXT='' ;;
-a) #Append this rule
CHAINRULE="$CHAINRULE -A ZZCHAINZZ -j ZZPOLICYZZ"
NEXT='POLICY' ;;
-d) #Delete this rule
CHAINRULE="$CHAINRULE -D ZZCHAINZZ -j ZZPOLICYZZ"
NEXT='POLICY' ;;
-i) #Insert this rule
CHAINRULE="$CHAINRULE -I ZZCHAINZZ 1 -j ZZPOLICYZZ"
NEXT='POLICY' ;;
-z) #Zero out the counters
CHAINRULE="$CHAINRULE -Z"
NEXT='' ;;
-f) #Flush the rules in this chain
CHAINRULE="$CHAINRULE -F ZZCHAINZZ"
NEXT='' ;;
-p) #Default policy for the chain
CHAINRULE="$CHAINRULE -P ZZCHAINZZ ZZPOLICYZZ"
NEXT='POLICY' ;;
-c) #Check if packet would be accepted or not
CHAINRULE="$CHAINRULE -C"
NEXT='' ;;
-P) #Protocol
if [ "$F2" != "all" ]; then
CHAINRULE="$CHAINRULE -p $F2"
fi
Fshift
NEXT='' ;;
-S) #Specify packet source
CHAINRULE="$CHAINRULE -s $F2" ; Fshift
NEXT='SOURCEPORT' ;;
-D) #Specify packet destination
CHAINRULE="$CHAINRULE -d $F2" ; Fshift
NEXT='DESTPORT' ;;
-V) #Use this IP address; convert to an IF name.
HOSTIP="$F2"
IFNAME=`ifconfig | grep -B 1 "inet addr:$HOSTIP" | head -1 | awk '{print $1}'`
if [ -z "$IFNAME" ]; then
HOSTIP=`host -t a $F2 2>/dev/null | grep 'has address' | head -1 | awk '{print $4}'`
if [ -n "$HOSTIP" ]; then
IFNAME=`ifconfig | grep -B 1 "inet addr:$HOSTIP" | head -1 | awk '{print $1}'`
else
echo Unable to find the interface name for $F2 . >/dev/stderr
echo Please convert it by hand. >/dev/stderr
IFNAME="interface_name_for_${F2}"
fi
fi
CHAINRULE="$CHAINRULE -i $IFNAME" ; Fshift
NEXT='' ; IFNAME='' ; HOSTIP='' ;;
-W) #Use this interface
CHAINRULE="$CHAINRULE -i $F2" ; Fshift
NEXT='' ;;
-b) #bidirectional mode
CHAINRULE="$CHAINRULE -b"
NEXT='' ;;
-e) #Extended/verbose output
CHAINRULE="$CHAINRULE -v"
NEXT='' ;;
-k) #Check ack flag
CHAINRULE="$CHAINRULE ! -y"
NEXT='' ;;
-m) #Masquerade this traffic
MASQ='YES' ; NEXT='' ;;
-n) #Numeric output
CHAINRULE="$CHAINRULE -n"
NEXT='' ;;
-o) #log these packets
CHAINRULE="$CHAINRULE -l"
NEXT='' ;;
-r) #REDIRECT to local port
REDIR='YES'
NEXT='REDIRPORT' ;;
-t) #Set TOS masks
CHAINRULE="$CHAINRULE -t $F2 $F3"
Fshift ; Fshift
NEXT='' ;;
-v) #Verbose
CHAINRULE="$CHAINRULE -v"
NEXT='' ;;
-x) #Expand numbers
CHAINRULE="$CHAINRULE -x"
NEXT='' ;;
-y) #Syn flag set and ack cleared
CHAINRULE="$CHAINRULE -y"
NEXT='' ;;
\#*) #Append comments verbatim.
while [ -n "$F1" ]; do
CHAINRULE="$CHAINRULE $F1"
Fshift
done ;;
*)
case "$NEXT" in
'ACCTDIR')
ACCTDIR="$F1" ; NEXT='' ;;
'REDIRPORT')
REDIRPORT="$F1" ; NEXT='' ;;
'SOURCEPORT')
if [ -z "`echo $CHAINRULE | grep 'ZZSOURCEPORTZZ'`" ]; then
CHAINRULE="$CHAINRULE ZZSOURCEPORTZZ"
fi
SOURCEPORT="$SOURCEPORT $F1" ;;
"DESTPORT")
if [ -z "`echo $CHAINRULE | grep 'ZZDESTPORTZZ'`" ]; then
CHAINRULE="$CHAINRULE ZZDESTPORTZZ"
fi
DESTPORT="$DESTPORT $F1" ;;
"POLICY")
POLICY=`echo $F1 | tr a-z A-Z`
case "$POLICY" in
A*) POLICY="ACCEPT" ;;
D*) POLICY="DENY" ;;
M*) POLICY="MASQ" ;;
R*) POLICY="REJECT" ;;
esac
NEXT='' ;;
*) #Just return the field - we don't know what to do.
CHAINRULE="$CHAINRULE $F1"
NEXT='' ;;
esac
esac
Fshift
done
#Replace Policy, Accounting and Chain placeholders
if [ "$MASQ" = "YES" ]; then
POLICY="MASQ"
fi
if [ "$REDIR" = "YES" ]; then
if [ -n "$REDIRPORT" ]; then
POLICY="REDIRECT $REDIRPORT"
else
POLICY="REDIRECT"
fi
fi
case "$ACCTDIR" in
'in')
CHAINRULE=`echo $CHAINRULE | sed -e "s/ZZACCTDIRZZ/acctin/g"` ;;
'out')
CHAINRULE=`echo $CHAINRULE | sed -e "s/ZZACCTDIRZZ/acctout/g"` ;;
'both'|''|*)
CHAINRULE=`echo $CHAINRULE | sed -e "s/ZZACCTDIRZZ/acctio/g"` ;;
esac
CHAINRULE=`echo $CHAINRULE | sed -e "s/ZZPOLICYZZ/$POLICY/g" \
-e "s/ZZCHAINZZ/$CHAIN/g"`
#Output the rule. Handle looping through multiple source and dest ports
if [ -z "$SOURCEPORT" ] && [ -z "$DESTPORT" ]; then #No src/dest ports specified
echo $CHAINRULE
elif [ -n "$SOURCEPORT" ] && [ -z "$DESTPORT" ]; then #>=1 src port, no dest ports
for ONESOURCE in $SOURCEPORT ; do
echo $CHAINRULE | sed -e "s/ZZSOURCEPORTZZ/$ONESOURCE/g"
done
elif [ -z "$SOURCEPORT" ] && [ -n "$DESTPORT" ]; then #no src ports, >=1 dest port
for ONEDEST in $DESTPORT ; do
echo $CHAINRULE | sed -e "s/ZZDESTPORTZZ/$ONEDEST/g"
done
else #>=1 src port and >=1 dest port
for ONESOURCE in $SOURCEPORT ; do
for ONEDEST in $DESTPORT ; do
echo $CHAINRULE | sed -e "s/ZZSOURCEPORTZZ/$ONESOURCE/g" -e "s/ZZDESTPORTZZ/$ONEDEST/g"
done
done
fi
CHAINRULE='' ; NEXT='' ; MASQ='' ; COMMENT=''
SOURCEPORT='' ; DESTPORT='' ; ACCTDIR='both'
REDIR='' ; REDIRPORT=''
done
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
