Hi, again, folks,
I'm trying to convert a number of iptables rules to firewalld rich
rules. I need to do this, because this is, in fact, a firewall, to
protect access to servers with sensitive data. It will limit access to
the servers behind it to a specific network, and nobody else, and allow
only certain services through.
What I've been trying to find is a script/program that converts the
output of iptables-save to something I can feed to firewall-cmd.
Anyone have a link to such?
I admit this is annoying. Why is it, when some New Kewl thing is
introduced, it *always* expects you to start anew, rather than giving
you a tool to convert what you had. I ran into this 15 years ago,
trying to put an existing website into bricolage (early CMS), and here
I am, trying to do this.
Anyway, any links would be appreciated.
mark
On 1/30/19 12:40 PM, mark wrote:> What I've been trying to find is a script/program that converts the > output of iptables-save to something I can feed to firewall-cmd. > Anyone have a link to such?None that I know of.? It might be easier for you to convert existing rules to "direct" rules than "rich" rules.
> Hi, again, folks, > > I'm trying to convert a number of iptables rules to firewalld rich > rules. I need to do this, because this is, in fact, a firewall, to > protect access to servers with sensitive data. It will limit access to > the servers behind it to a specific network, and nobody else, and allow > only certain services through. > > What I've been trying to find is a script/program that converts the > output of iptables-save to something I can feed to firewall-cmd. > Anyone have a link to such? > > I admit this is annoying. Why is it, when some New Kewl thing is > introduced, it *always* expects you to start anew, rather than giving > you a tool to convert what you had. I ran into this 15 years ago, > trying to put an existing website into bricolage (early CMS), and here > I am, trying to do this. > > Anyway, any links would be appreciated.Did you look at Shorewall? IMHO that's what is best used in such situations and it works since many years now. http://www.shorewall.org/ Regards, Simon
On 1/30/19 10:05 PM, Simon Matter via CentOS wrote:> Did you look at Shorewall? IMHO that's what is best used in such > situations and it works since many years now.shorewall doesn't support nftables, which is largely the point of firewalld:? The Linux firewall system is currently undergoing yet another deprecation and migration from iptables to nftables. firewalld should remain stable during the migration process.? As far as I know, there are no plans to support nftables under shorewall, so new users will most likely throw away any investment they make in learning and implementing shorewall.