Cronjob to check IpTables

xaitmi

Basically here's an example

-A PREROUTING -p tcp -m tcp --dport 11052 -j DNAT --to-destination 10.8.1.14:11052
-A PREROUTING -p tcp -m tcp --dport 3525 -j DNAT --to-destination 10.8.1.14:3525
-A PREROUTING -p tcp -m tcp --dport 25987 -j DNAT --to-destination 10.8.0.18:25987
-A PREROUTING -p tcp -m tcp --dport 1177 -j DNAT --to-destination 10.8.0.58:1177
-A PREROUTING -p tcp -m tcp --dport 3525 -j DNAT --to-destination 10.8.1.14:3525

I was looking to create a script that would review the IPtables on a centos 6 box, if there are more than one of the same rules, it would delete all of them..

So in this case, all of the rule below should be deleted because there is more than one of it.

-A PREROUTING -p tcp -m tcp --dport 3525 -j DNAT --to-destination 10.8.1.14:3525

Anyone have any suggestions on how to accomplish a cron that would run every minute to do that job?

kingpin

Pipe it through a combination of sort(1) and uniq(1) replacing the original rule set with the output?

$ cat meh 
1
2
1
1
3
4
$ (sort | uniq) < meh > blah
$ cat blah 
1
2
3
4

Or simply.

$ sort -u -o meh meh

raindog308

xaitmi said: So in this case, all of the rule below should be deleted because there is more than one of it.

If you apply two of a rule, do you get two in the chain? I guess you must...it's not a hash table.

xaitmi

This is what I have so far.

sudo sort -u -o /etc/sysconfig/iptables /etc/sysconfig/iptables
echo "Sort complete! Running once more just to make sure."
sudo sort -u -o /etc/sysconfig/iptables /etc/sysconfig/iptables

/etc/sysconfig/iptables

-A POSTROUTING -o venet0 -j SNAT --to-source XXX.XX.XXX.XXX
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source XXX.XX.XXX.XXX
-A PREROUTING -p tcp -m tcp --dport 11052 -j DNAT --to-destination 10.8.1.14:11052
-A PREROUTING -p tcp -m tcp --dport 1177 -j DNAT --to-destination 10.8.0.58:1177
-A PREROUTING -p tcp -m tcp --dport 25987 -j DNAT --to-destination 10.8.0.18:25987
-A PREROUTING -p tcp -m tcp --dport 1533 -j DNAT --to-destination 10.8.0.2:1533
-A PREROUTING -p tcp -m tcp --dport 25987 -j DNAT --to-destination 10.8.0.18:25987
-A PREROUTING -p tcp -m tcp --dport 3525 -j DNAT --to-destination 10.8.1.14:3525
-A PREROUTING -p tcp -m tcp --dport 25987 -j DNAT --to-destination 10.8.0.18:25987
COMMIT
# Completed on Sun Aug  7 19:25:39 2016
*filter
:FORWARD ACCEPT [6:479]
# Generated by iptables-save v1.4.7 on Sun Aug  7 19:25:39 2016
:INPUT ACCEPT [228:18673]
:INPUT ACCEPT [269:22001]
*mangle
*nat
:OUTPUT ACCEPT [140:18958]
:OUTPUT ACCEPT [176:23458]
:OUTPUT ACCEPT [5:342]
:POSTROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [182:23937]
:PREROUTING ACCEPT [10:1365]
:PREROUTING ACCEPT [275:22480]
*raw

if I run it with those iptables it deletes all the duplicates and only keeps 1 of them, I need it to delete all.

In the above scenario it would delete all the ones with 10.8.0.18:25987 except 1. I need it to delete ALL 10.8.0.18:25987

kingpin

Good ol' sort(1) and uniq(1) are still in the game.

$ (sort | uniq -u) < meh.txt > blah.txt

$ cat meh.txt 
3
2
4
1
5
1
2
1
1
7

$ cat blah.txt
3
4
5
7

Squyd

if you want all duplicates removed:

x=/etc/sysconfig/iptables; grep -Fvf <( (sort | uniq -d) < $x) $x

The outer brackets are for a process substitution.

xaitmi

@Squyd said:
if you want all duplicates removed:

x=/etc/sysconfig/iptables; grep -Fvf <( (sort | uniq -d) < $x) $x

The outer brackets are for a process substitution.

I keep getting syntax errors

line 4: syntax error near unexpected token `('

Squyd

if process substitution didn't work on your machine, just break into 3lines:


$x=/etc/sysconfig/iptables
$(sort | uniq -d) < $x > dups.txt
$grep -Fvf dups.txt $x > no_dups.txt


kingpin

grep(1) is redundant and is extra work. -u argument to uniq(1) will do the job just fine as I already demonstrated above.

-u, --unique
only print unique lines

http://linuxcommand.org/man_pages/uniq1.html

Squyd

agreed.

@kingpin said:
grep(1) is redundant and is extra work. -u argument to uniq(1) will do the job just fine as I already demonstrated above.

-u, --unique
only print unique lines

http://linuxcommand.org/man_pages/uniq1.html

xaitmi

@Squyd said:
if process substitution didn't work on your machine, just break into 3lines:


$x=/etc/sysconfig/iptables
$(sort | uniq -d) < $x > dups.txt
$grep -Fvf dups.txt $x > no_dups.txt


sortiptables.sh: line 4: =/etc/sysconfig/iptables: No such file or directory

which is wierd

I tried adding quotes but no luck. hmm

got rid of $x and just wrote /etc/sysconfig/iptables script is running now.

Update: seems to run forever does not end lol

#!/bin/bash
echo "This script will automatically remove non-unique iptables values, leaving the unique untouched."
echo "Alright! Running sort now!"
$(sort | uniq -d) < /etc/sysconfig/iptables > dups.txt
$grep -Fvf dups.txt /etc/sysconfig/iptables > no_dups.txt

Squyd

@xaitmi said:

got rid of $x and just wrote /etc/sysconfig/iptables script is running now.

Update: seems to run forever does not end lol

> 
> #!/bin/bash
> echo "This script will automatically remove non-unique iptables values, leaving the unique untouched."
> echo "Alright! Running sort now!"
> $(sort | uniq -d) < /etc/sysconfig/iptables > dups.txt
> $grep -Fvf dups.txt /etc/sysconfig/iptables > no_dups.txt
> 
> 
> 

No dollar signs inside a script

eastonch

Not sure how you're managing the get duplicates anyway, but if the lines are exact, you could just uniq iptables.rule.file > iptables.rule.file every hour or so.