I'm replacing a wireless router/firewall running Tomato with a Debian server, and I was excited to have found tomato's iptables config so I could directly import it to the new server (my question before this). The iptables config file (at bottom) from Tomato fails iptables-restore in Debian:
# iptables-restore < iptables.eth0-eth1
iptables-restore v1.4.14: Couldn't load match `mport':No such file or directory
Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Is there a way to get mport into "modern" iptables?
Or could you please help me translate mport to multiport?
Googling for iptables mport was pretty rough, but I eventually found someone complaining mport is gone and a multiport tutorial with passing reference to the mport extension, which led to me snooping around the two box's filesystems for modules and also trying every "firewall" tool Debian has, wishing for one to magically come with mport. I admit to being quite spoiled by Tomato's user interface -- every Debian package I have tried since has left me more and more confused (gui or cli). If I could get the server to briefly route everything, I think mason might work. No wonder everyone hates iptables.
I spent more time trying to figure out the errors than I should. Had I spent that much time trying to understand iptables, I probably could have translated the mport rules to multiport. Also, I pondered posting to SuperUser, however, the few iptables tagged questions weren't in the same league as ones I'm reading here in ServerFault.
Looking for modules:
I ssh'd into the wireless router with tomato firmware, I found the module libipt_mport.so in /usr/lib/iptables. But in the /lib/modules/2.4.20/kernel/net/ipv4/netfilter directory, there is no libipt_mport.so, only ipt_multiport.o.
On the Debian box (fresh install of wheezy), I used updatedb and locate to search on MASQ (for MASQUERADE object) and found the directory/lib/modules/3.2.0-4-amd64/kernel/net/ipv4/netfilter has a good array of iptable_* and nf_nat_* ko files. The search also found libxt_multiport.so in /lib/xtables, but there is no reference to object modules for mport.
Additionally, are there any other problems below? I see the layer 7 stuff and have a feeling this will make for more complications next.
Tomato's config file:
Notes:
» 99.1.81.209 is WAN ip
» 10.0.0.2 is ip for this Debian firewall
» 10.0.0.20 is a server
» tomato's public interface vlan0 changed to eth0
» tomato's internal interface br0 changed to eth1
» ports 5060:5090 are for VoIP (probably don't need that whole range?)
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:QOSO - [0:0]
-A QOSO -j CONNMARK --restore-mark --mask 0xff
-A QOSO -m connmark ! --mark 0/0xff00 -j RETURN
-A QOSO -p tcp -m mport --dports 80,443 -m bcount --range 0x0-0x7ffff -j CONNMARK --set-return 0x2/0xFF
-A QOSO -p tcp -m mport --dports 80,443 -m bcount --range 0x80000 -j CONNMARK --set-return 0x4/0xFF
-A QOSO -p udp --dport 53 -m bcount --range 0x0-0x7ff -j CONNMARK --set-return 0x1/0xFF
-A QOSO -p tcp --dport 53 -m bcount --range 0x0-0x7ff -j CONNMARK --set-return 0x1/0xFF
-A QOSO -p udp --dport 53 -m bcount --range 0x800 -j CONNMARK --set-return 0x5/0xFF
-A QOSO -p tcp --dport 53 -m bcount --range 0x800 -j CONNMARK --set-return 0x5/0xFF
-A QOSO -p udp --dport 1024:65535 -j CONNMARK --set-return 0x5/0xFF
-A QOSO -p tcp --dport 1024:65535 -j CONNMARK --set-return 0x5/0xFF
-A QOSO -p udp -m mport --ports 5060:5090 -m layer7 --l7dir /etc/l7-protocols --l7proto sip -j CONNMARK --set-return 0x101/0xFF
-I QOSO -j BCOUNT
-A QOSO -j CONNMARK --set-return 0x4
-A FORWARD -o eth0 -j QOSO
-A OUTPUT -o eth0 -j QOSO
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -d 10.0.0.2/255.255.255.0 -j DROP
-A PREROUTING -p icmp -d 99.1.81.209 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -p tcp -m tcp -d 99.1.81.209 --dport 22 -j DNAT --to-destination 10.0.0.2:22
-A PREROUTING -p tcp -d 99.1.81.209 --dport 10022 -j DNAT --to-destination 10.0.0.20:22
-A POSTROUTING -p tcp --dport 22 -s 10.0.0.2/255.255.255.0 -d 10.0.0.20 -j SNAT --to-source 99.1.81.209
:upnp - [0:0]
-A PREROUTING -d 99.1.81.209 -j upnp
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -d 99.1.81.209 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-N shlimit
-A shlimit -m recent --set --name shlimit
-A shlimit -m recent --update --hitcount 3 --seconds 60 --name shlimit -j DROP
-A INPUT -p tcp --dport 22 -m state --state NEW -j shlimit
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -d 10.0.0.2 --dport 22 -j ACCEPT
:FORWARD DROP [0:0]
-A FORWARD -i eth1 -o eth1 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1461: -j TCPMSS --set-mss 1460
:L7in - [0:0]
-A FORWARD -i eth0 -j L7in
-A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto sip -j RETURN
:wanin - [0:0]
:wanout - [0:0]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j wanin
-A FORWARD -o eth0 -j wanout
-A FORWARD -i eth1 -j ACCEPT
:upnp - [0:0]
-A FORWARD -i eth0 -j upnp
-A wanin -p tcp -m tcp -d 10.0.0.20 --dport 22 -j ACCEPT
COMMIT
AFAIK, the parameters for the
multiportmodule is identical to the parameters for themportmodule you've shown.Try a simple search-and-replace:
PS: Certainly not everyone hates iptables; I personally LOVE iptables ;-)