Check for rule existence

Check for rule existence

[Mistick Levi]

Hi,
Does anyone know of a good way to check for a rule existence?
So far I'm doing it with grep, and text manipulation...

Is the only way to check for a rule existence(beside run iptables and
grep ) is through the libiptc?

Kind regards
Yechiel Levi

Re: Check for rule existence

[Curby]

On Mon, Jun 14, 2010 at 11:16 AM, Mistick Levi <gmistick@gmail.com> wrote:
> Hi,
> Does anyone know of a good way to check for a rule existence?
> So far I'm doing it with grep, and text manipulation...

Just a quick note that you might want to look at iptables-save instead
of vanilla iptables if you aren't already.  The former command gives
the rules in a sort of canonical form that is used for restoring
rulesets.  You'll have fewer spacing issues and such. Hopefully others
will have more to add. =)

--Mike

Re: Check for rule existence

[Grant Taylor]

On 06/14/10 12:23, Curby wrote:
> Just a quick note that you might want to look at iptables-save
> instead of vanilla iptables if you aren't already.  The former
> command gives the rules in a sort of canonical form that is used for
> restoring rulesets.  You'll have fewer spacing issues and such.
> Hopefully others will have more to add. =)

(iptables-save) Agreed.

I'd also recommend that you apply your rule and see how iptables-save 
will regurgitate the same rule back at you.  Especially if you are doing 
a textual comparison of the rule.

If you aren't doing a textual comparison of the rule and are actually 
breaking it out in to its individual elements (like command line 
argument processing) you will have a better chance of matching the rule 
on more systems.  Something as simple as a different interface name will 
throw off your textual match.  I.e. "eth0" is actually "eth1".

Depending on how system agnostic you are trying to bee, processing the 
rule as if it were a command line (looking for individual pieces) will 
probably be the easiest to do.



Grant. . . .

Re: Check for rule existence

[Grant Taylor]

On 06/14/10 13:22, Taylor, Grant wrote:
> Depending on how system agnostic you are trying to bee, processing the 
> rule as if it were a command line (looking for individual pieces) will 
> probably be the easiest to do.

Also remember that IPTables(-save) is going to give you the output of 
what is in kernel.  Any host names that you specified in your rule will 
be translated to IPs and entered in the kernel as such.  This could be 
even more tricky if you have host names that are being translated to 
dynamic IPs.



Grant. . . .

Re: Check for rule existence

[Grant Taylor]

On 06/14/10 12:23, Curby wrote:
> Hopefully others will have more to add. =)

You might want to look in to the "comment" match extension.

You could add a comment to rules that you are entering, and then look 
for said comment as a flag when looking for the rule.  That way you 
wouldn't have to process nearly as much, because you can look for your 
own flag.



Grant. . . .