nudin / iptable_vis Goto Github PK
View Code? Open in Web Editor NEWvisualise your iptables chains
License: GNU Lesser General Public License v3.0
iptable_vis's People
Contributors
Stargazers
Watchers
Forkers
jgarte enamchuk alexkirmasov v-k-k demming zva90 grkral theworms willssong2018 hirnfiedler jlmartinnc gialnet leewalter cba3x zee-sh chaobingya schmitzis derek2060 raytracy tomyang9 panhongrainbow ttys3 joaoc rstms karthikrmit sunausti sjondegast alisacorporation cssolomon goldbeef liqiangding warmchang sunatthegilddotcom irishman59 swsan iberz mofe23 deukwoongwoo asm1213 jerrywang1974 yin-ztiptable_vis's Issues
Support `iptables-save` output
iptables-save is safer then iptables -L ... and outputs all tables. It would be great to have support for this format too.
Scale width of line with the number of matches
Idea: The connection lines between rules and their target could be the bigger, the more often the rule was applied to packages. Maybe something like linewidth ~ log(counter).
Related: #4
Quotation marks in rules result in broken diag code.
Dashed lines for never used rules
If a rule is never used so far (counter=0), the connection line to the target could be rendered dashed.
Blockdiag doesn't seem available.
On Ubuntu 21.04, blockdiag doesn't seem available:
sudo apt install blockdiag
[sudo] password for user:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package blockdiag
Using python3-blockdiag instead seems good.
sudo apt install python3-blockdiag
blockdiag3 iptables.dia -T svg -o iptables.svg
And the image was rendered.
Btw, nice tool! :D
failed to parsing .diag file if it is has "[]" in label description
Thank you very much for your wonderfull tool. it helps a lot when using it. I occur a issue that when parsing the diag file . could you kindly take a look?
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
render LOG message properly
awk: iptables-vis.awk: line 211: function gensub never defined
When I try to run this against the saved output of $ sudo iptables -v -L I get the following error:
awk: iptables-vis.awk: line 211: function gensub never defined
Using latest cloned repo.
Use iptables -S
Hi,
Great job!!!!
Considere to use iptables -S
Which give you the true iptables rules, may be easier for parsing and get all rules and parameters.
ERROR: got unexpected token: <EOF>
iptables -v -L > iptables.txt
awk -f iptables-vis.awk < iptables.txt > iptables.dia
blockdiag3 iptables.dia -T svg -o iptables.svg
ERROR: got unexpected token: <EOF>
iptables.txt:
Chain INPUT (policy ACCEPT 588 packets, 226K bytes)
pkts bytes target prot opt in out source destination
1792 515K KUBE-ROUTER-INPUT all -- any any anywhere anywhere /* kube-router netpol - 4IA2OSFRMVNDXBVV */
588 226K KUBE-NODEPORTS all -- any any anywhere anywhere /* kubernetes health check service ports */
123 16578 KUBE-EXTERNAL-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
588 226K KUBE-FIREWALL all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
635 206K KUBE-ROUTER-FORWARD all -- any any anywhere anywhere /* kube-router netpol - TEMCG2JMHZYE7H7T */
0 0 KUBE-FORWARD all -- any any anywhere anywhere /* kubernetes forwarding rules */
0 0 KUBE-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes service portals */
0 0 KUBE-EXTERNAL-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
0 0 ACCEPT all -- any any ip-10-42-0-0.ec2.internal/16 anywhere
0 0 ACCEPT all -- any any anywhere ip-10-42-0-0.ec2.internal/16
Chain OUTPUT (policy ACCEPT 652 packets, 172K bytes)
pkts bytes target prot opt in out source destination
2011 343K KUBE-ROUTER-OUTPUT all -- any any anywhere anywhere /* kube-router netpol - VEAAIY32XVBHCSCY */
127 24622 KUBE-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes service portals */
652 172K KUBE-FIREWALL all -- any any anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (2 references)
pkts bytes target prot opt in out source destination
Chain KUBE-FIREWALL (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
0 0 DROP all -- any any !ip-127-0-0-0.ec2.internal/8 ip-127-0-0-0.ec2.internal/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
Chain KUBE-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
0 0 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding conntrack rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-KUBELET-CANARY (0 references)
pkts bytes target prot opt in out source destination
Chain KUBE-NODEPORTS (1 references)
pkts bytes target prot opt in out source destination
Chain KUBE-NWPLCY-DEFAULT (6 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- any any anywhere anywhere /* rule to mark traffic matching a network policy */ MARK or 0x10000
Chain KUBE-POD-FW-L3CCKNL42X3PDDA3 (7 references)
pkts bytes target prot opt in out source destination
3073 658K ACCEPT all -- any any anywhere anywhere /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
87 5220 ACCEPT all -- any any anywhere ip-10-42-2-2.ec2.internal /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
0 0 KUBE-NWPLCY-DEFAULT all -- any any ip-10-42-2-2.ec2.internal anywhere /* run through default egress network policy chain */
0 0 KUBE-NWPLCY-DEFAULT all -- any any anywhere ip-10-42-2-2.ec2.internal /* run through default ingress network policy chain */
0 0 NFLOG all -- any any anywhere anywhere /* rule to log dropped traffic POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
0 0 REJECT all -- any any anywhere anywhere /* rule to REJECT traffic destined for POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
0 0 MARK all -- any any anywhere anywhere MARK and 0xfffeffff
0 0 MARK all -- any any anywhere anywhere /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000
Chain KUBE-POD-FW-OIM3DLDDVNYGTNCC (7 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere ip-10-42-2-4.ec2.internal /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
0 0 KUBE-NWPLCY-DEFAULT all -- any any ip-10-42-2-4.ec2.internal anywhere /* run through default egress network policy chain */
0 0 KUBE-NWPLCY-DEFAULT all -- any any anywhere ip-10-42-2-4.ec2.internal /* run through default ingress network policy chain */
0 0 NFLOG all -- any any anywhere anywhere /* rule to log dropped traffic POD name:svclb-traefik-8fjlg namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
0 0 REJECT all -- any any anywhere anywhere /* rule to REJECT traffic destined for POD name:svclb-traefik-8fjlg namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
0 0 MARK all -- any any anywhere anywhere MARK and 0xfffeffff
0 0 MARK all -- any any anywhere anywhere /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000
Chain KUBE-POD-FW-PCWK32JIKVMMAWJH (7 references)
pkts bytes target prot opt in out source destination
38 3845 ACCEPT all -- any any anywhere anywhere /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere ip-10-42-2-3.ec2.internal /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
0 0 KUBE-NWPLCY-DEFAULT all -- any any ip-10-42-2-3.ec2.internal anywhere /* run through default egress network policy chain */
0 0 KUBE-NWPLCY-DEFAULT all -- any any anywhere ip-10-42-2-3.ec2.internal /* run through default ingress network policy chain */
0 0 NFLOG all -- any any anywhere anywhere /* rule to log dropped traffic POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
0 0 REJECT all -- any any anywhere anywhere /* rule to REJECT traffic destined for POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
0 0 MARK all -- any any anywhere anywhere MARK and 0xfffeffff
0 0 MARK all -- any any anywhere anywhere /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000
Chain KUBE-PROXY-CANARY (0 references)
pkts bytes target prot opt in out source destination
Chain KUBE-ROUTER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any ip-10-42-2-4.ec2.internal anywhere PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any ip-10-42-2-4.ec2.internal anywhere /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any anywhere ip-10-42-2-4.ec2.internal PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any anywhere ip-10-42-2-4.ec2.internal /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any ip-10-42-2-3.ec2.internal anywhere PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
19 2467 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any ip-10-42-2-3.ec2.internal anywhere /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any anywhere ip-10-42-2-3.ec2.internal PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
19 1378 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any anywhere ip-10-42-2-3.ec2.internal /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
0 0 KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any ip-10-42-2-2.ec2.internal anywhere PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
300 54101 KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any ip-10-42-2-2.ec2.internal anywhere /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
0 0 KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any anywhere ip-10-42-2-2.ec2.internal PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
297 148K KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any anywhere ip-10-42-2-2.ec2.internal /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
0 0 ACCEPT all -- any any anywhere anywhere /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000
Chain KUBE-ROUTER-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any ip-10-42-2-4.ec2.internal anywhere /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any ip-10-42-2-3.ec2.internal anywhere /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
1204 289K KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any ip-10-42-2-2.ec2.internal anywhere /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
0 0 RETURN all -- any any anywhere ip-10-43-0-0.ec2.internal/16 /* allow traffic to cluster IP - M66LPN4N3KB5HTJR */
0 0 RETURN tcp -- any any anywhere anywhere /* allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
0 0 RETURN udp -- any any anywhere anywhere /* allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
0 0 ACCEPT all -- any any anywhere anywhere /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000
Chain KUBE-ROUTER-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any ip-10-42-2-4.ec2.internal anywhere /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any anywhere ip-10-42-2-4.ec2.internal /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any ip-10-42-2-3.ec2.internal anywhere /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any anywhere ip-10-42-2-3.ec2.internal /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
0 0 KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any ip-10-42-2-2.ec2.internal anywhere /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
1359 171K KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any anywhere ip-10-42-2-2.ec2.internal /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
0 0 ACCEPT all -- any any anywhere anywhere /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000
Chain KUBE-SERVICES (2 references)
pkts bytes target prot opt in out source destination
Avoid creation of empty groups
If a chain is empty it is not rendered, but the group is created nevertheless. This results in empty space in the image.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.