New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Cronjob to check IpTables
Basically here's an example
-A PREROUTING -p tcp -m tcp --dport 11052 -j DNAT --to-destination 10.8.1.14:11052 -A PREROUTING -p tcp -m tcp --dport 3525 -j DNAT --to-destination 10.8.1.14:3525 -A PREROUTING -p tcp -m tcp --dport 25987 -j DNAT --to-destination 10.8.0.18:25987 -A PREROUTING -p tcp -m tcp --dport 1177 -j DNAT --to-destination 10.8.0.58:1177 -A PREROUTING -p tcp -m tcp --dport 3525 -j DNAT --to-destination 10.8.1.14:3525
I was looking to create a script that would review the IPtables on a centos 6 box, if there are more than one of the same rules, it would delete all of them..
So in this case, all of the rule below should be deleted because there is more than one of it.
-A PREROUTING -p tcp -m tcp --dport 3525 -j DNAT --to-destination 10.8.1.14:3525
Anyone have any suggestions on how to accomplish a cron that would run every minute to do that job?
Comments
Pipe it through a combination of
sort(1)
anduniq(1)
replacing the original rule set with the output?Or simply.
If you apply two of a rule, do you get two in the chain? I guess you must...it's not a hash table.
This is what I have so far.
/etc/sysconfig/iptables
if I run it with those iptables it deletes all the duplicates and only keeps 1 of them, I need it to delete all.
In the above scenario it would delete all the ones with 10.8.0.18:25987 except 1. I need it to delete ALL 10.8.0.18:25987
Good ol'
sort(1)
anduniq(1)
are still in the game.if you want all duplicates removed:
x=/etc/sysconfig/iptables; grep -Fvf <( (sort | uniq -d) < $x) $x
The outer brackets are for a process substitution.
I keep getting syntax errors
line 4: syntax error near unexpected token `('
if process substitution didn't work on your machine, just break into 3lines:
$x=/etc/sysconfig/iptables
$(sort | uniq -d) < $x > dups.txt
$grep -Fvf dups.txt $x > no_dups.txt
grep(1)
is redundant and is extra work.-u
argument touniq(1)
will do the job just fine as I already demonstrated above.http://linuxcommand.org/man_pages/uniq1.html
agreed.
sortiptables.sh: line 4: =/etc/sysconfig/iptables: No such file or directory
which is wierd
I tried adding quotes but no luck. hmm
got rid of $x and just wrote /etc/sysconfig/iptables script is running now.
Update: seems to run forever does not end lol
No dollar signs inside a script
Not sure how you're managing the get duplicates anyway, but if the lines are exact, you could just
uniq iptables.rule.file > iptables.rule.file
every hour or so.