nudin / iptable_vis Goto Github PK
View Code? Open in Web Editor NEWvisualise your iptables chains
License: GNU Lesser General Public License v3.0
visualise your iptables chains
License: GNU Lesser General Public License v3.0
iptables-save
is safer then iptables -L ...
and outputs all tables. It would be great to have support for this format too.
Idea: The connection lines between rules and their target could be the bigger, the more often the rule was applied to packages. Maybe something like linewidth ~ log(counter)
.
Related: #4
If a rule is never used so far (counter=0), the connection line to the target could be rendered dashed.
On Ubuntu 21.04, blockdiag
doesn't seem available:
sudo apt install blockdiag
[sudo] password for user:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package blockdiag
Using python3-blockdiag
instead seems good.
sudo apt install python3-blockdiag
blockdiag3 iptables.dia -T svg -o iptables.svg
And the image was rendered.
Btw, nice tool! :D
Thank you very much for your wonderfull tool. it helps a lot when using it. I occur a issue that when parsing the diag file . could you kindly take a look?
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
When I try to run this against the saved output of $ sudo iptables -v -L I get the following error:
awk: iptables-vis.awk: line 211: function gensub never defined
Using latest cloned repo.
Hi,
Great job!!!!
Considere to use iptables -S
Which give you the true iptables rules, may be easier for parsing and get all rules and parameters.
iptables -v -L > iptables.txt
awk -f iptables-vis.awk < iptables.txt > iptables.dia
blockdiag3 iptables.dia -T svg -o iptables.svg
ERROR: got unexpected token: <EOF>
iptables.txt:
Chain INPUT (policy ACCEPT 588 packets, 226K bytes)
pkts bytes target prot opt in out source destination
1792 515K KUBE-ROUTER-INPUT all -- any any anywhere anywhere /* kube-router netpol - 4IA2OSFRMVNDXBVV */
588 226K KUBE-NODEPORTS all -- any any anywhere anywhere /* kubernetes health check service ports */
123 16578 KUBE-EXTERNAL-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
588 226K KUBE-FIREWALL all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
635 206K KUBE-ROUTER-FORWARD all -- any any anywhere anywhere /* kube-router netpol - TEMCG2JMHZYE7H7T */
0 0 KUBE-FORWARD all -- any any anywhere anywhere /* kubernetes forwarding rules */
0 0 KUBE-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes service portals */
0 0 KUBE-EXTERNAL-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
0 0 ACCEPT all -- any any ip-10-42-0-0.ec2.internal/16 anywhere
0 0 ACCEPT all -- any any anywhere ip-10-42-0-0.ec2.internal/16
Chain OUTPUT (policy ACCEPT 652 packets, 172K bytes)
pkts bytes target prot opt in out source destination
2011 343K KUBE-ROUTER-OUTPUT all -- any any anywhere anywhere /* kube-router netpol - VEAAIY32XVBHCSCY */
127 24622 KUBE-SERVICES all -- any any anywhere anywhere ctstate NEW /* kubernetes service portals */
652 172K KUBE-FIREWALL all -- any any anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (2 references)
pkts bytes target prot opt in out source destination
Chain KUBE-FIREWALL (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
0 0 DROP all -- any any !ip-127-0-0-0.ec2.internal/8 ip-127-0-0-0.ec2.internal/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT
Chain KUBE-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
0 0 ACCEPT all -- any any anywhere anywhere /* kubernetes forwarding conntrack rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-KUBELET-CANARY (0 references)
pkts bytes target prot opt in out source destination
Chain KUBE-NODEPORTS (1 references)
pkts bytes target prot opt in out source destination
Chain KUBE-NWPLCY-DEFAULT (6 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- any any anywhere anywhere /* rule to mark traffic matching a network policy */ MARK or 0x10000
Chain KUBE-POD-FW-L3CCKNL42X3PDDA3 (7 references)
pkts bytes target prot opt in out source destination
3073 658K ACCEPT all -- any any anywhere anywhere /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
87 5220 ACCEPT all -- any any anywhere ip-10-42-2-2.ec2.internal /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
0 0 KUBE-NWPLCY-DEFAULT all -- any any ip-10-42-2-2.ec2.internal anywhere /* run through default egress network policy chain */
0 0 KUBE-NWPLCY-DEFAULT all -- any any anywhere ip-10-42-2-2.ec2.internal /* run through default ingress network policy chain */
0 0 NFLOG all -- any any anywhere anywhere /* rule to log dropped traffic POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
0 0 REJECT all -- any any anywhere anywhere /* rule to REJECT traffic destined for POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
0 0 MARK all -- any any anywhere anywhere MARK and 0xfffeffff
0 0 MARK all -- any any anywhere anywhere /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000
Chain KUBE-POD-FW-OIM3DLDDVNYGTNCC (7 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere ip-10-42-2-4.ec2.internal /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
0 0 KUBE-NWPLCY-DEFAULT all -- any any ip-10-42-2-4.ec2.internal anywhere /* run through default egress network policy chain */
0 0 KUBE-NWPLCY-DEFAULT all -- any any anywhere ip-10-42-2-4.ec2.internal /* run through default ingress network policy chain */
0 0 NFLOG all -- any any anywhere anywhere /* rule to log dropped traffic POD name:svclb-traefik-8fjlg namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
0 0 REJECT all -- any any anywhere anywhere /* rule to REJECT traffic destined for POD name:svclb-traefik-8fjlg namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
0 0 MARK all -- any any anywhere anywhere MARK and 0xfffeffff
0 0 MARK all -- any any anywhere anywhere /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000
Chain KUBE-POD-FW-PCWK32JIKVMMAWJH (7 references)
pkts bytes target prot opt in out source destination
38 3845 ACCEPT all -- any any anywhere anywhere /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere ip-10-42-2-3.ec2.internal /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
0 0 KUBE-NWPLCY-DEFAULT all -- any any ip-10-42-2-3.ec2.internal anywhere /* run through default egress network policy chain */
0 0 KUBE-NWPLCY-DEFAULT all -- any any anywhere ip-10-42-2-3.ec2.internal /* run through default ingress network policy chain */
0 0 NFLOG all -- any any anywhere anywhere /* rule to log dropped traffic POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
0 0 REJECT all -- any any anywhere anywhere /* rule to REJECT traffic destined for POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
0 0 MARK all -- any any anywhere anywhere MARK and 0xfffeffff
0 0 MARK all -- any any anywhere anywhere /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000
Chain KUBE-PROXY-CANARY (0 references)
pkts bytes target prot opt in out source destination
Chain KUBE-ROUTER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any ip-10-42-2-4.ec2.internal anywhere PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any ip-10-42-2-4.ec2.internal anywhere /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any anywhere ip-10-42-2-4.ec2.internal PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any anywhere ip-10-42-2-4.ec2.internal /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any ip-10-42-2-3.ec2.internal anywhere PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
19 2467 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any ip-10-42-2-3.ec2.internal anywhere /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any anywhere ip-10-42-2-3.ec2.internal PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
19 1378 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any anywhere ip-10-42-2-3.ec2.internal /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
0 0 KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any ip-10-42-2-2.ec2.internal anywhere PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
300 54101 KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any ip-10-42-2-2.ec2.internal anywhere /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
0 0 KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any anywhere ip-10-42-2-2.ec2.internal PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
297 148K KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any anywhere ip-10-42-2-2.ec2.internal /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
0 0 ACCEPT all -- any any anywhere anywhere /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000
Chain KUBE-ROUTER-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any ip-10-42-2-4.ec2.internal anywhere /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any ip-10-42-2-3.ec2.internal anywhere /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
1204 289K KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any ip-10-42-2-2.ec2.internal anywhere /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
0 0 RETURN all -- any any anywhere ip-10-43-0-0.ec2.internal/16 /* allow traffic to cluster IP - M66LPN4N3KB5HTJR */
0 0 RETURN tcp -- any any anywhere anywhere /* allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
0 0 RETURN udp -- any any anywhere anywhere /* allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
0 0 ACCEPT all -- any any anywhere anywhere /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000
Chain KUBE-ROUTER-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any ip-10-42-2-4.ec2.internal anywhere /* rule to jump traffic from POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-OIM3DLDDVNYGTNCC all -- any any anywhere ip-10-42-2-4.ec2.internal /* rule to jump traffic destined to POD name:svclb-traefik-8fjlg namespace: kube-system to chain KUBE-POD-FW-OIM3DLDDVNYGTNCC */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any ip-10-42-2-3.ec2.internal anywhere /* rule to jump traffic from POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
0 0 KUBE-POD-FW-PCWK32JIKVMMAWJH all -- any any anywhere ip-10-42-2-3.ec2.internal /* rule to jump traffic destined to POD name:local-path-provisioner-6c79684f77-wfwz6 namespace: kube-system to chain KUBE-POD-FW-PCWK32JIKVMMAWJH */
0 0 KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any ip-10-42-2-2.ec2.internal anywhere /* rule to jump traffic from POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
1359 171K KUBE-POD-FW-L3CCKNL42X3PDDA3 all -- any any anywhere ip-10-42-2-2.ec2.internal /* rule to jump traffic destined to POD name:metrics-server-7cd5fcb6b7-lw5ck namespace: kube-system to chain KUBE-POD-FW-L3CCKNL42X3PDDA3 */
0 0 ACCEPT all -- any any anywhere anywhere /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000
Chain KUBE-SERVICES (2 references)
pkts bytes target prot opt in out source destination
If a chain is empty it is not rendered, but the group is created nevertheless. This results in empty space in the image.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.