|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" (C) Copyright 2018, Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" %%%LICENSE_START(GPLv2+_DOC_FULL)
|
|
Packit Service |
d1fe03 |
.\" This is free documentation; you can redistribute it and/or
|
|
Packit Service |
d1fe03 |
.\" modify it under the terms of the GNU General Public License as
|
|
Packit Service |
d1fe03 |
.\" published by the Free Software Foundation; either version 2 of
|
|
Packit Service |
d1fe03 |
.\" the License, or (at your option) any later version.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" The GNU General Public License's references to "object code"
|
|
Packit Service |
d1fe03 |
.\" and "executables" are to be interpreted as the output of any
|
|
Packit Service |
d1fe03 |
.\" document formatting or typesetting system, including
|
|
Packit Service |
d1fe03 |
.\" intermediate and printed output.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" This manual is distributed in the hope that it will be useful,
|
|
Packit Service |
d1fe03 |
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
d1fe03 |
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
d1fe03 |
.\" GNU General Public License for more details.
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.\" You should have received a copy of the GNU General Public
|
|
Packit Service |
d1fe03 |
.\" License along with this manual; if not, see
|
|
Packit Service |
d1fe03 |
.\" <http://www.gnu.org/licenses/>.
|
|
Packit Service |
d1fe03 |
.\" %%%LICENSE_END
|
|
Packit Service |
d1fe03 |
.\"
|
|
Packit Service |
d1fe03 |
.TH IPTABLES-TRANSLATE 8 "May 14, 2019"
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH NAME
|
|
Packit Service |
d1fe03 |
iptables-translate \(em translation tool to migrate from iptables to nftables
|
|
Packit Service |
d1fe03 |
.P
|
|
Packit Service |
d1fe03 |
ip6tables-translate \(em translation tool to migrate from ip6tables to nftables
|
|
Packit Service |
d1fe03 |
.SH DESCRIPTION
|
|
Packit Service |
d1fe03 |
There is a set of tools to help the system administrator translate a given
|
|
Packit Service |
d1fe03 |
ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
The available commands are:
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.IP \[bu] 2
|
|
Packit Service |
d1fe03 |
iptables-translate
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
iptables-restore-translate
|
|
Packit Service |
d1fe03 |
.IP \[bu] 2
|
|
Packit Service |
d1fe03 |
ip6tables-translate
|
|
Packit Service |
d1fe03 |
.IP \[bu]
|
|
Packit Service |
d1fe03 |
ip6tables-restore-translate
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH USAGE
|
|
Packit Service |
d1fe03 |
They take as input the original \fBiptables(8)\fP/\fBip6tables(8)\fP syntax and
|
|
Packit Service |
d1fe03 |
output the native \fBnftables(8)\fP syntax.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
The \fBiptables-restore-translate\fP tool reads a ruleset in the syntax
|
|
Packit Service |
d1fe03 |
produced by \fBiptables-save(8)\fP. Likewise, the
|
|
Packit Service |
d1fe03 |
\fBip6tables-restore-translate\fP tool reads one produced by
|
|
Packit Service |
d1fe03 |
\fBip6tables-save(8)\fP. No ruleset modifications occur, these tools are
|
|
Packit Service |
d1fe03 |
text converters only.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
The \fBiptables-translate\fP reads a command line as if it was entered to
|
|
Packit Service |
d1fe03 |
\fBiptables(8)\fP, and \fBip6tables-translate\fP reads a command like as if it
|
|
Packit Service |
d1fe03 |
was entered to \fBip6tables(8)\fP.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH EXAMPLES
|
|
Packit Service |
d1fe03 |
Basic operation examples.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
Single command translation:
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
|
Packit Service |
d1fe03 |
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
|
|
Packit Service |
d1fe03 |
nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
Whole ruleset translation:
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.nf
|
|
Packit Service |
d1fe03 |
root@machine:~# iptables-save > save.txt
|
|
Packit Service |
d1fe03 |
root@machine:~# cat save.txt
|
|
Packit Service |
d1fe03 |
# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
|
|
Packit Service |
d1fe03 |
*filter
|
|
Packit Service |
d1fe03 |
:INPUT ACCEPT [5166:1752111]
|
|
Packit Service |
d1fe03 |
:FORWARD ACCEPT [0:0]
|
|
Packit Service |
d1fe03 |
:OUTPUT ACCEPT [5058:628693]
|
|
Packit Service |
d1fe03 |
-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
|
Packit Service |
d1fe03 |
COMMIT
|
|
Packit Service |
d1fe03 |
# Completed on Sat Dec 24 14:26:40 2016
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
root@machine:~# iptables-restore-translate -f save.txt
|
|
Packit Service |
d1fe03 |
# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
|
|
Packit Service |
d1fe03 |
add table ip filter
|
|
Packit Service |
d1fe03 |
add chain ip filter INPUT { type filter hook input priority 0; }
|
|
Packit Service |
d1fe03 |
add chain ip filter FORWARD { type filter hook forward priority 0; }
|
|
Packit Service |
d1fe03 |
add chain ip filter OUTPUT { type filter hook output priority 0; }
|
|
Packit Service |
d1fe03 |
add rule ip filter FORWARD tcp dport 22 ct state new counter accept
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft
|
|
Packit Service |
d1fe03 |
root@machine:~# nft -f ruleset.nft
|
|
Packit Service |
d1fe03 |
root@machine:~# nft list ruleset
|
|
Packit Service |
d1fe03 |
table ip filter {
|
|
Packit Service |
d1fe03 |
chain INPUT {
|
|
Packit Service |
d1fe03 |
type filter hook input priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain FORWARD {
|
|
Packit Service |
d1fe03 |
type filter hook forward priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
tcp dport ssh ct state new counter packets 0 bytes 0 accept
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
chain OUTPUT {
|
|
Packit Service |
d1fe03 |
type filter hook output priority 0; policy accept;
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
}
|
|
Packit Service |
d1fe03 |
.fi
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH LIMITATIONS
|
|
Packit Service |
d1fe03 |
Some (few) extensions may be not supported (or fully-supported) for whatever
|
|
Packit Service |
d1fe03 |
reason (for example, they were considered obsolete, or we didn't have the time
|
|
Packit Service |
d1fe03 |
to work on them).
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
There are no translations available for \fBebtables(8)\fP and
|
|
Packit Service |
d1fe03 |
\fBarptables(8)\fP.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
To get up-to-date information about this, please head to
|
|
Packit Service |
d1fe03 |
\fBhttps://wiki.nftables.org/\fP.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH SEE ALSO
|
|
Packit Service |
d1fe03 |
\fBnft(8)\fP, \fBiptables(8)\fP
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
.SH AUTHORS
|
|
Packit Service |
d1fe03 |
The nftables framework is written by the Netfilter project
|
|
Packit Service |
d1fe03 |
(https://www.netfilter.org).
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
This manual page was written by Arturo Borrero Gonzalez
|
|
Packit Service |
d1fe03 |
<arturo@netfilter.org>.
|
|
Packit Service |
d1fe03 |
|
|
Packit Service |
d1fe03 |
This documentation is free/libre under the terms of the GPLv2+.
|