==========================
iptables-converter - intro
==========================

Assume a plain file with following contents::

    iptables -F
    iptables -t nat -F
    iptables -N USER_CHAIN
    iptables -A INPUT -p tcp --dport 23 -j ACCEPT
    iptables -A USER_CHAIN -p icmp -j DROP
    iptables -P INPUT DROP
    iptables -t nat -A POSTROUTING -s 10.0.0.0/21 -p tcp --dport   80 -j SNAT --to-source 192.168.1.15
    iptables -t nat -A PREROUTING  -d 192.0.2.5/32 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.5:1500

As times goes by, the script will grow. The more lines the longer will it take to be loaded.
There should be a quicker way of getting things done. Using iptables-save we easily can save the 
actual ruleset from the kernel to a file. To load it's content into the kernel again is a very quick
action compared to the loading of the originating shellscript. So the idea came up to have a
converter just for saving time.

**iptables-converter** by default reads a file **rules**, using comandline parameter ``-s`` any other
file. After having read completely, output is written to stdout for full flexibility. 
Given the above file as input the following is printed out::

    *raw
    :OUTPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    COMMIT
    *nat
    :OUTPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A PREROUTING -d 192.0.2.5/32 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.5:1500 
    -A POSTROUTING -s 10.0.0.0/21 -p tcp --dport 80 -j SNAT --to-source 192.168.1.15 
    COMMIT
    *mangle
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [0:0]
    :USER_CHAIN - [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -p tcp --dport 23 -j ACCEPT 
    -A USER_CHAIN -p icmp -j DROP 
    COMMIT

As a file this might be read by iptables-restore, which works immediately.

As the file read is not interpreted in any way, there are few known errorconditions:

  #) the file contains some shell variables, indicated by '$',
     this leads to an errormessage and exits immediately with returncode 1.
  #) the file contains some shell functions, indicated by '(' and/or ')',
     this leads to an errormessage and exits immediately with returncode 1.

If you have such a file, and oyu want to speed up by converting, please 
execute it and feed the output as a file to iptables-converter.   


iptables-converter does some error-checking while reading input. 
Just to mention it: **iptables -E xyz** and **iptables -L** are not implemented and throw exceptions for now!
