如何将` `iptables -S`输出转换为宽度第一清单
如何将` `iptables -S`输出转换为宽度第一清单
提问于 2019-04-03 20:00:37
我正在寻找一个程序,它接受iptables -S的输出并将其转换为宽度第一清单。
为什么?我正在使用VyOS在一个路由器上做一些工作,其中几个表层是预先安装的,因此很难追溯所有连接到输入、转发和输出的规则。
根据@JeffSchaller 's的说法,下面是需要分析的示例输出:
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LAN1_IN
-N MINIUPNPD
-N UBNT_FW_IN_SUSPEND_HOOK
-N UBNT_PFOR_FW_HOOK
-N UBNT_PFOR_FW_RULES
-N UBNT_VPN_IPSEC_FW_HOOK
-N UBNT_VPN_IPSEC_FW_IN_HOOK
-N VYATTA_FW_IN_HOOK
-N VYATTA_FW_LOCAL_HOOK
-N VYATTA_FW_OUT_HOOK
-N VYATTA_POST_FW_FWD_HOOK
-N VYATTA_POST_FW_IN_HOOK
-N VYATTA_POST_FW_OUT_HOOK
-N WAN_IN
-N WAN_LOCAL
-N WAN_OUT
-A INPUT -j UBNT_VPN_IPSEC_FW_HOOK
-A INPUT -j VYATTA_FW_LOCAL_HOOK
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j MINIUPNPD
-A FORWARD -j UBNT_VPN_IPSEC_FW_IN_HOOK
-A FORWARD -j UBNT_PFOR_FW_HOOK
-A FORWARD -j UBNT_FW_IN_SUSPEND_HOOK
-A FORWARD -j VYATTA_FW_IN_HOOK
-A FORWARD -j VYATTA_FW_OUT_HOOK
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A LAN1_IN -m comment --comment LAN1_IN-10 -m state --state INVALID -j LOG --log-prefix "[LAN1_IN-10-D]"
-A LAN1_IN -m comment --comment LAN1_IN-10 -m state --state INVALID -j DROP
-A LAN1_IN -p udp -m comment --comment LAN1_IN-20 -m udp --dport 53 -m set --match-set dnsaddr dst -j RETURN
-A LAN1_IN -p udp -m comment --comment LAN1_IN-30 -m set --match-set dnsaddr src -m udp --dport 53 -j RETURN
-A LAN1_IN -m comment --comment LAN1_IN-60 -m state --state NEW -j RETURN
-A LAN1_IN -m comment --comment LAN1_IN-70 -m state --state RELATED -j RETURN
-A LAN1_IN -m comment --comment LAN1_IN-80 -m state --state ESTABLISHED -j RETURN
-A LAN1_IN -m comment --comment "LAN1_IN-10000 default-action drop" -j LOG --log-prefix "[LAN1_IN-default-D]"
-A LAN1_IN -m comment --comment "LAN1_IN-10000 default-action drop" -j DROP
-A VYATTA_FW_IN_HOOK -i eth0 -j WAN_IN
-A VYATTA_FW_IN_HOOK -i eth1 -j LAN1_IN
-A VYATTA_FW_LOCAL_HOOK -i eth0 -j WAN_LOCAL
-A VYATTA_FW_OUT_HOOK -o eth0 -j WAN_OUT
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A WAN_IN -m comment --comment WAN_IN-10 -m state --state ESTABLISHED -j RETURN
-A WAN_IN -m comment --comment WAN_IN-20 -m state --state RELATED -j RETURN
-A WAN_IN -m comment --comment WAN_IN-30 -m state --state INVALID -j LOG --log-prefix "[WAN_IN-30-D]"
-A WAN_IN -m comment --comment WAN_IN-30 -m state --state INVALID -j DROP
-A WAN_IN -m comment --comment "WAN_IN-10000 default-action drop" -j DROP
-A WAN_LOCAL -m comment --comment WAN_LOCAL-10 -m state --state ESTABLISHED -j RETURN
-A WAN_LOCAL -m comment --comment WAN_LOCAL-20 -m state --state RELATED -j RETURN
-A WAN_LOCAL -m comment --comment WAN_LOCAL-30 -m state --state INVALID -j LOG --log-prefix "[WAN_LOCAL-30-D]"
-A WAN_LOCAL -m comment --comment WAN_LOCAL-30 -m state --state INVALID -j DROP
-A WAN_LOCAL -m comment --comment "WAN_LOCAL-10000 default-action drop" -j LOG --log-prefix "[WAN_LOCAL-default-D]"
-A WAN_LOCAL -m comment --comment "WAN_LOCAL-10000 default-action drop" -j DROP
-A WAN_OUT -m comment --comment WAN_OUT-10 -m state --state NEW -j RETURN
-A WAN_OUT -m comment --comment WAN_OUT-20 -m state --state RELATED -j RETURN
-A WAN_OUT -m comment --comment WAN_OUT-30 -m state --state ESTABLISHED -j RETURN
-A WAN_OUT -m comment --comment WAN_OUT-40 -m state --state INVALID -j LOG --log-prefix "[WAN_OUT-40-D]"
-A WAN_OUT -m comment --comment WAN_OUT-40 -m state --state INVALID -j DROP
-A WAN_OUT -m comment --comment "WAN_OUT-10000 default-action drop" -j LOG --log-prefix "[WAN_OUT-default-D]"
-A WAN_OUT -m comment --comment "WAN_OUT-10000 default-action drop" -j DROP我选择“ll3”S的答案作为正确答案,首先通过帖子。@LL3 's答案已经修改,以便能够阅读stdin,所以我删除了做同样操作的修补程序。
对perl-master @JeffSchaller 's (稍晚一点)的评价,完整的答案既显示了广度优先列表,也显示了图形输出。
回答 2
Unix & Linux用户
回答已采纳
发布于 2019-04-04 19:44:08
一段时间前,我需要平宽-首先是自定义防火墙的规则树,并将它们全部保存在一个文件中。不是VyOS,而是iptables。我想出了下面的脚本,看看它是否对你有帮助。
Please注意:这个脚本至少需要Bash v4
#!/bin/bash -
declare -A all_chains=()
declare -A queued_chains=()
builtin_chains_as_regexp='INPUT|OUTPUT|FORWARD|PREROUTING|POSTROUTING'
queue_list=""
prepend_chain=""
show_chain_heading=false
one_go=false
uniquify=true
_print_usage() {
cat <<- EOF
Usage: $0 [-npofh]
-n shows chain's creation command as heading, useful for spotting empty chains
-p prepends chain's name to each rule
-o read everything in one go, 10x quicker when many small chains
-f expand all references to a same chain, but beware of chain loops or chains referenced hundreds of times
-h shows this help
EOF
}
_expand_chain() {
local chain_to_expand="${1}"
local rules=""
# if one_go selected, work with in-memory cache of chains
if $one_go ; then
rules="${all_chains[${chain_to_expand}]}"
# otherwise read in chain to consider
else
rules="$(iptables -S "${chain_to_expand}")"
fi
$show_chain_heading && \
! [[ "${chain_to_expand}" =~ ${builtin_chains_as_regexp} ]] && \
echo "-N ${chain_to_expand}"
while read -r cmd chain rule ; do
case "${cmd}" in
-A)
set -- ${rule}
# look for target option in rule
while [ -n "${1}" ] && ! [[ "${1}" =~ -(j|g) ]] ; do shift ; done
# a few sanity checks
[ -n "${1}" ] || continue # a rule with no target, skip it
shift
[ -n "${1}" ] || { echo "what!? empty target in ${rule}" >&2 ; continue ; }
if [ -n "${all_chains[${1}]}" ] ; then
# if target is a chain
# add to queued chains if uniquify *not* requested or if chain never queued
if ! $uniquify || [ -z "${queued_chains[${1}]}" ] ; then
queue_list+="${1} "
queued_chains[${1}]="1"
fi
fi
# show rule
echo "${prepend_chain:+[${chain_to_expand}] }${cmd} ${chain} ${rule}"
;;
esac
done <<<"${rules}"
}
###
# ACTUAL EXECUTION STARTS HERE
#
# parse command options if any
while getopts nphfo option ; do
case $option in
n) show_chain_heading=true
;;
p) prepend_chain="1"
;;
h) _print_usage ; exit 0
;;
o) one_go=true
;;
f) uniquify=false
;;
'?') exit 1
;;
esac
done
[ -n "${!OPTIND}" ] || { _print_usage ; exit 1 ; }
# preparation step:
# if one_go selected, slurp everything in
if $one_go ; then
# invoke explicit command only when stdin is the terminal
[ -t 0 ] && exec 0< <(iptables -S)
while read -r cmd chain rule ; do
case "${cmd}" in
-N)
all_chains[${chain}]=" " # <<-- whitespace to make provision for empty chains
;;
-A)
# assign rule to its chain in cache
all_chains[${chain}]+=无可否认,这并不是很好的评论,但是如果你熟悉Bash,就不会那么难理解了。如果您在没有选项的情况下运行它,它将显示一个帮助摘要。特别要注意的是,默认情况下,它只扩展每条链一次,即使对多次引用的链也是如此。您可以使用-f选项请求一个真正的全扁平输出。我之所以这样做,是因为我有数千条其他链引用的几条链,并且将所有可能要花费几个小时的链接都压平了(当然,这个脚本不做并行处理)。因此,如果您有类似的设置,请记住这一点。\n'"${cmd} ${chain} ${rule}"
;;
esac
done
# otherwise read in chain names only
else
while IFS= read -r chain ; do
all_chains[${chain}]="1"
done < <(iptables -S | sed -ne '/^-N /s///p')
fi
# expand starting chain
_expand_chain ${!OPTIND}
# breadth-first expand queued chains
# as long as queue is not empty
while [ "${#queue_list}" -gt 0 ] ; do
# take next queued chain
subchain="${queue_list%% *}"
# expand it
_expand_chain "${subchain}"
# remove expanded chain from queue
queue_list="${queue_list#${subchain} }"
# queue gets updated by _expand_chain as needed
done
exit 0无可否认,这并不是很好的评论,但是如果你熟悉Bash,就不会那么难理解了。
如果您在没有选项的情况下运行它,它将显示一个帮助摘要。
特别要注意的是,默认情况下,它只扩展每条链一次,即使对多次引用的链也是如此。您可以使用D1选项请求一个真正的全扁平输出。我之所以这样做,是因为我有数千条其他链引用的几条链,并且将所有可能要花费几个小时的链接都压平了(当然,这个脚本不做并行处理)。因此,如果您有类似的设置,请记住这一点。
Unix & Linux用户
发布于 2019-04-05 17:11:56
下面是我对iptables -S输出的BFS排序的解释;它读取每个规则并找到目标(或-P策略);一旦读取了所有规则,它就从内置的目标开始,并打印规则的连续级别。
iptables-bfs.pl
#!/usr/bin/perl -w
use strict;
# for now, a chain name has to match regex: [[:alnum:]_-]+
my %jumpsto = ();
while (<>) {
chomp;
next if /^#/;
if (/-[AIR]\s+([[:alnum:]_-]+).*-j\s+([[:alnum:]_-]+)/) {
unless (exists $jumpsto{$1}{$2}) {
$jumpsto{$1}{$2}=$_;
}
} elsif (/-P ([[:alnum:]_-]+)\s+(ACCEPT|DROP)/) {
unless (exists $jumpsto{$1}{$2}) {
$jumpsto{$1}{$2}=$_;
}
}
}
my @queue = ();
push @queue, qw(INPUT OUTPUT FORWARD PREROUTING POSTROUTING);
my @nextqueue = ();
while (@queue) {
my $item = shift @queue;
foreach my $target (keys %{ $jumpsto{$item} }) {
print $jumpsto{$item}{$target} . "\n";
push @nextqueue, $target;
}
if (! @queue && @nextqueue) {
@queue = @nextqueue;
@nextqueue = ();
print "---------------\n";
}
}对于问题中的示例输入,输出如下:
-A INPUT -j UBNT_VPN_IPSEC_FW_HOOK
-P INPUT ACCEPT
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A INPUT -j VYATTA_FW_LOCAL_HOOK
-P OUTPUT ACCEPT
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A FORWARD -j VYATTA_FW_IN_HOOK
-A FORWARD -j MINIUPNPD
-P FORWARD ACCEPT
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A FORWARD -j UBNT_VPN_IPSEC_FW_IN_HOOK
-A FORWARD -j UBNT_FW_IN_SUSPEND_HOOK
-A FORWARD -j UBNT_PFOR_FW_HOOK
-A FORWARD -j VYATTA_FW_OUT_HOOK
---------------
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_FW_LOCAL_HOOK -i eth0 -j WAN_LOCAL
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A VYATTA_FW_IN_HOOK -i eth1 -j LAN1_IN
-A VYATTA_FW_IN_HOOK -i eth0 -j WAN_IN
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_FW_OUT_HOOK -o eth0 -j WAN_OUT
---------------
-A WAN_LOCAL -m comment --comment WAN_LOCAL-30 -m state --state INVALID -j DROP
-A WAN_LOCAL -m comment --comment WAN_LOCAL-10 -m state --state ESTABLISHED -j RETURN
-A WAN_LOCAL -m comment --comment WAN_LOCAL-30 -m state --state INVALID -j LOG --log-prefix "[WAN_LOCAL-30-D]"
-A LAN1_IN -p udp -m comment --comment LAN1_IN-20 -m udp --dport 53 -m set --match-set dnsaddr dst -j RETURN
-A LAN1_IN -m comment --comment LAN1_IN-10 -m state --state INVALID -j DROP
-A LAN1_IN -m comment --comment LAN1_IN-10 -m state --state INVALID -j LOG --log-prefix "[LAN1_IN-10-D]"
-A WAN_IN -m comment --comment WAN_IN-30 -m state --state INVALID -j DROP
-A WAN_IN -m comment --comment WAN_IN-10 -m state --state ESTABLISHED -j RETURN
-A WAN_IN -m comment --comment WAN_IN-30 -m state --state INVALID -j LOG --log-prefix "[WAN_IN-30-D]"
-A WAN_OUT -m comment --comment WAN_OUT-40 -m state --state INVALID -j DROP
-A WAN_OUT -m comment --comment WAN_OUT-10 -m state --state NEW -j RETURN
-A WAN_OUT -m comment --comment WAN_OUT-40 -m state --state INVALID -j LOG --log-prefix "[WAN_OUT-40-D]"
---------------我最初的错误解释是下面的perl脚本,它将iptables -S转换为与图形兼容的文件。它创建一个将源链与其目标链连接起来的图表。
iptables-dot.pl
#!/usr/bin/perl -w
use strict;
# for now, a chain name has to match regex: [[:alnum:]_-]+
print "digraph rules {\n";
print "\toverlap=scalexy;\n";
my %jumpsto = ();
while (<>) {
chomp;
next if /^#/;
if (/-[AIR]\s+([[:alnum:]_-]+).*-j\s+([[:alnum:]_-]+)/) {
unless (exists $jumpsto{$1}{$2}) {
print "\"$1\" -> \"$2\";\n";
$jumpsto{$1}{$2}=1;
}
} elsif (/-P ([[:alnum:]_-]+)\s+(ACCEPT|DROP)/) {
unless (exists $jumpsto{$1}{$2}) {
print "\"$1\" -> \"$2\";\n";
$jumpsto{$1}{$2}=1;
}
}
}
print "}\n";给定问题中的示例输入,结果输出如下:
digraph rules {
overlap=scalexy;
"INPUT" -> "ACCEPT";
"FORWARD" -> "ACCEPT";
"OUTPUT" -> "ACCEPT";
"INPUT" -> "UBNT_VPN_IPSEC_FW_HOOK";
"INPUT" -> "VYATTA_FW_LOCAL_HOOK";
"INPUT" -> "VYATTA_POST_FW_IN_HOOK";
"FORWARD" -> "MINIUPNPD";
"FORWARD" -> "UBNT_VPN_IPSEC_FW_IN_HOOK";
"FORWARD" -> "UBNT_PFOR_FW_HOOK";
"FORWARD" -> "UBNT_FW_IN_SUSPEND_HOOK";
"FORWARD" -> "VYATTA_FW_IN_HOOK";
"FORWARD" -> "VYATTA_FW_OUT_HOOK";
"FORWARD" -> "VYATTA_POST_FW_FWD_HOOK";
"OUTPUT" -> "VYATTA_POST_FW_OUT_HOOK";
"LAN1_IN" -> "LOG";
"LAN1_IN" -> "DROP";
"LAN1_IN" -> "RETURN";
"VYATTA_FW_IN_HOOK" -> "WAN_IN";
"VYATTA_FW_IN_HOOK" -> "LAN1_IN";
"VYATTA_FW_LOCAL_HOOK" -> "WAN_LOCAL";
"VYATTA_FW_OUT_HOOK" -> "WAN_OUT";
"VYATTA_POST_FW_FWD_HOOK" -> "ACCEPT";
"VYATTA_POST_FW_IN_HOOK" -> "ACCEPT";
"VYATTA_POST_FW_OUT_HOOK" -> "ACCEPT";
"WAN_IN" -> "RETURN";
"WAN_IN" -> "LOG";
"WAN_IN" -> "DROP";
"WAN_LOCAL" -> "RETURN";
"WAN_LOCAL" -> "LOG";
"WAN_LOCAL" -> "DROP";
"WAN_OUT" -> "RETURN";
"WAN_OUT" -> "LOG";
"WAN_OUT" -> "DROP";
}..。这就产生了下面的图形。单击一次以获得更大的版本;如果浏览器自动将其降下来,请再次单击。
页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/510351
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号