migrando firewall do CL8 para o CL10

[fsoaress76]

pessoal estou com um baita problema, tinha um firewall rodando blz no conectva 8, mais tive que migrar para o Conectiva 10. agora estou com um problema nas regras do firewall. veja exemplo

conectiva 8

# Generated by iptables-save v2.9 on Mon Dec 15 20:50:37 2003
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# ENTRADA DNAT
-A PREROUTING -p tcp -d 200.253.101.131 --dport 5900 -j DNAT --to-destination 192.168.0.18
-A PREROUTING -p udp -d 200.253.101.131 --dport 5800 -j DNAT --to-destination 192.168.0.18
#
# Squid # ETH0( É EXEMPLO PONHA A INTERFACE DE SUA REDE INTERNA)
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
# MASQUERADE ( INTERFACE DE REDE INTERNA)
-A POSTROUTING -o eth1 -j MASQUERADE
#
COMMIT
# Completed on Mon Dec 15 20:50:37 2003
# Generated by iptables-save v1.2.9 on Mon Dec 15 20:50:37 2003
*mangle
:PREROUTING ACCEPT [9:1243]
:INPUT ACCEPT [9:1243]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:3755]
:POSTROUTING ACCEPT [10:3755]
COMMIT
# Completed on Mon Dec 15 20:50:37 2003
# Generated by iptables-save v1.2.9 on Mon Dec 15 20:50:37 2003
*filter
:FORWARD ACCEPT [0:0]
:Block - [0:0]
:INPUT ACCEPT [0:0]
:Users - [0:0]
:OUTPUT ACCEPT [0:0]
# LIBERAR PRA ACESSO EXTERNO
-A INPUT -p tcp -i eth1 --dport 5900 -j ACCEPT
-A INPUT -p udp -i eth1 --dport 5900 -j ACCEPT
-A INPUT -p udp -i eth1 --dport 5800 -j ACCEPT
-A INPUT -p tcp -i eth1 --dport 5800 -j ACCEPT
-A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p udp -i eth1 --dport 22 -j ACCEPT
# DNS
#-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
#-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j Users
-A INPUT -j Block
# REGRAS COMPLEMENTARES DE FORWARD DO PCANYWARE
-A FORWARD -i eth1 -p tcp --dport 5800 -j ACCEPT
-A FORWARD -i eth1 -p udp --dport 5800 -j ACCEPT
-A FORWARD -i eth1 -p tcp --dport 5900 -j ACCEPT
-A FORWARD -i eth1 -p udp --dport 5900 -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -j DROP
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
-A FORWARD -m unclean -j DROP
-A FORWARD -j Block
#
# CONEXOES EXTRENAS ETH1 ( INTERFACE DE INTERNET )
-A Block -m state -i eth1 --state NEW -j DROP
#
# Aceita conexões ja estabelecidas
-A Block -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP / SSH / Telnet / SMTP
-A Block -p tcp -m tcp --dport 20:25 -j ACCEPT
-A Block -p udp -m udp --dport 20:25 -j ACCEPT
# DNS
-A Block -p tcp -m tcp --dport 53 -j ACCEPT
-A Block -p udp -m udp --dport 53 -j ACCEPT
# http
-A Block -p tcp -m tcp --dport 80 -j ACCEPT
-A Block -p udp -m udp --dport 80 -j ACCEPT
# Pop-3
-A Block -p tcp -m tcp --dport 110 -j ACCEPT
-A Block -p udp -m udp --dport 110 -j ACCEPT
# https
-A Block -p tcp -m tcp --dport 443 -j ACCEPT
-A Block -p udp -m udp --dport 443 -j ACCEPT
# Proxy
-A Block -p tcp -m tcp --dport 3128 -j ACCEPT
-A Block -p udp -m udp --dport 3128 -j ACCEPT
# Altas Geral
-A Block -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A Block -p udp -m udp --dport 1024:65535 -j ACCEPT
# =========== ADM Nivel =============
# REGRA LIBERA
-A Users -m mac -s 192.168.252.228 --mac 00:40:f4:ab:0c:cf -j RETURN
#
# REGRA BLOQUEIA
-A Users -m mac -s 192.168.252.228 --mac 00:40:f4:ab:0c:cf -j DROP
#
-A Users
-A Block -j DROP
-A Users -j DROP
COMMIT
# Completed on Mon Dec 15 20:50:37 2003

agora nao consigo colocar essas regras no conectiva 10 sem que nao der erros.
alguem pode atualizar essas regras para nos ai. vai servir para outros tambem.

[irado]

duas coisinhas:

a) "agora nao consigo colocar essas regras no conectiva 10 sem que nao der erros.". Se vc não diz que êrros são, como esperar alguma ajuda?

b) trocar um muito obsoleto por outro também obsoleto.. CL-8 pra CL-10.. não encontro muito sentido nisso.

[fsoaress76]

desculpas ai "irado"
corrigindo>>>> quando eu start o iptables aparece essas lista abaixo

./iptables: line 2: *nat: command not found
./iptables: line 3: :PREROUTING: command not found
./iptables: line 4: :OUTPUT: command not found
./iptables: line 5: :POSTROUTING: command not found
./iptables: line 7: -A: command not found
./iptables: line 8: -A: command not found
./iptables: line 11: -A: command not found
./iptables: line 14: -A: command not found
./iptables: line 16: COMMIT: command not found
./iptables: line 19: *mangle: command not found
./iptables: line 20: :PREROUTING: command not found
./iptables: line 21: :INPUT: command not found
./iptables: line 22: :FORWARD: command not found
./iptables: line 23: :OUTPUT: command not found
./iptables: line 24: :POSTROUTING: command not found
./iptables: line 25: COMMIT: command not found
./iptables: line 28: *filter: command not found
./iptables: line 29: :FORWARD: command not found
./iptables: line 30: :Block: command not found
./iptables: line 31: :INPUT: command not found
./iptables: line 32: :Users: command not found
./iptables: line 33: :OUTPUT: command not found
./iptables: line 35: -A: command not found
./iptables: line 36: -A: command not found
./iptables: line 37: -A: command not found
./iptables: line 38: -A: command not found
./iptables: line 39: -A: command not found
./iptables: line 40: -A: command not found
./iptables: line 45: -A: command not found
./iptables: line 46: -A: command not found
./iptables: line 47: -A: command not found
./iptables: line 48: -A: command not found
./iptables: line 49: -A: command not found
./iptables: line 50: -A: command not found
./iptables: line 51: -A: command not found
./iptables: line 53: -A: command not found
./iptables: line 54: -A: command not found
./iptables: line 55: -A: command not found
./iptables: line 56: -A: command not found
./iptables: line 57: -A: command not found
./iptables: line 58: -A: command not found
./iptables: line 59: -A: command not found
./iptables: line 60: -A: command not found
./iptables: line 61: -A: command not found
./iptables: line 64: -A: command not found
./iptables: line 67: -A: command not found
./iptables: line 69: -A: command not found
./iptables: line 70: -A: command not found
./iptables: line 72: -A: command not found
./iptables: line 73: -A: command not found
./iptables: line 75: -A: command not found
./iptables: line 76: -A: command not found
./iptables: line 78: -A: command not found
./iptables: line 79: -A: command not found
./iptables: line 81: -A: command not found
./iptables: line 82: -A: command not found
./iptables: line 84: -A: command not found
./iptables: line 85: -A: command not found
./iptables: line 87: -A: command not found
./iptables: line 88: -A: command not found
./iptables: line 91: -A: command not found
./iptables: line 94: -A: command not found
./iptables: line 96: -A: command not found
./iptables: line 97: -A: command not found
./iptables: line 98: -A: command not found
./iptables: line 99: COMMIT: command not found

[irado]

"/iptables: line 2: *nat: command not found
./iptables: line 3: :PREROUTING: command not found
./iptables: line 4: :OUTPUT: command not found
./iptables: line 5: :POSTROUTING: command not found
./iptables: line 7: -A: command not found
"
bem, tudo indica que o iptables não está instalado. Ou não está no path. Verifique:

whereis iptables

[fsoaress76]

de acordo com o comando eis a resposta

# whereis iptables

/usr/sbin/iptables /usr/lib/iptables /usr/share/man/man8/iptables.8.gz

[joseguilherme]

Saudações amigos,

fsoaress76, pelo que eu vejo, vc executou um iptables-save e jogou a saída para um arquivo, para restaurar essas regras vc deve usar o iptables-restore, não simplesmente executar o arquivo da saída do iptables-save.

iptables-restore < iptables

acho que é essa a solução.
Abraço