Colored! network information: iptables, routes, addresses #shell #reporting #networking

Original forum link
https://forum.qubes-os.org/t/22258
Original poster
immeƫmosol
Created at
2023-11-24 19:12:59
Posts count
2
Likes count
3
Tags
networking

Recently, i was tinkering around with network-related matters in qubes. And found these things to come in handy, so i am sharing them here. Not qubes-os specific, by the way.

retrieving network information with iptables & ip

In a single line that can be double-clicked and then pasted from secondary/middle-click: 

{ format='' ; : '\n--- %s ---\n' ; for table in filter mangle nat raw security ; do test -z "${format?}" || printf "${format?}" "${table?}" ; sudo iptables --table $table --line-numbers -vnL ; done ;} |  sed -E 's/^Chain.*$/\x1b[4m&\x1b[0m/' |  sed -E 's/^num.*/\x1b[33m&\x1b[0m/' |  sed -E '/([^y] )((REJECT|DROP))/s//\1\x1b[31m\3\x1b[0m/' |  sed -E '/([^y] )(ACCEPT)/s//\1\x1b[32m\2\x1b[0m/' |  sed -E '/([ds]pt[s]?:)([[:digit:]]+(:[[:digit:]]+)?)/s//\1\x1b[33;1m\2\x1b[0m/' |  sed -E '/([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}(\/([[:digit:]]){1,3}){0,1}/s//\x1b[36;1m&\x1b[0m/g' |  sed -E '/([^n] )(LOGDROP)/s//\1\x1b[33;1m\2\x1b[0m/'|  sed -E 's/ LOG /\x1b[36;1m&\x1b[0m/' ; sudo ip -6 -c a s ; sudo ip -6 -c r s ; sudo ip -4 -c r s ; sudo ip -4 -c a s ;
To have "headers" for the iptables output, remove ' ; : ' from the beginning, so: 
- { format='' ; : '\n
+ { format='\n

Or, split over multiple lines (semicolons (;) removed).

{
    {
        for table in filter mangle nat raw security
        do
            cmd="sudo iptables --table ${table?} --line-numbers --verbose --numeric --list"
            # aka sudo iptables --line-numbers -t nat -nvL
            printf '\n--- result of command: %s ---\n' "${cmd?}"
            ${cmd?}
        done
        unset cmd
    } |
        sed -E 's/^Chain.*$/\x1b[4m&\x1b[0m/' |
        sed -E 's/^num.*/\x1b[33m&\x1b[0m/' |
        sed -E '/([^y] )((REJECT|DROP))/s//\1\x1b[31m\3\x1b[0m/' |
        sed -E '/([^y] )(ACCEPT)/s//\1\x1b[32m\2\x1b[0m/' |
        sed -E '/([ds]pt[s]?:)([[:digit:]]+(:[[:digit:]]+)?)/s//\1\x1b[33;1m\2\x1b[0m/' |
        sed -E '/([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}(\/([[:digit:]]){1,3}){0,1}/s//\x1b[36;1m&\x1b[0m/g' |
        sed -E '/([^n] )(LOGDROP)/s//\1\x1b[33;1m\2\x1b[0m/' |
        sed -E 's/ LOG /\x1b[36;1m&\x1b[0m/' |
    : ;
    sudo ip -color -family inet6 address show # aka -6 -c a s
    sudo ip -color -family inet6 route show # aka   -6 -c r s
    sudo ip -color -family inet route show # aka    -4 -c r s
    sudo ip -color -family inet address show # aka  -4 -c a s
}

Perhaps of interest, in man ip is documented: - -json [-pretty] (usable with javascript object notation (JSON) parsing tools, for instance: jq) - -oneline (allows for counting/enumerating or new-line separated iteration)

Another thing that might come in handy, is to limit addresses to the global scope, by doing: sudo ip -c a s scope global

Combining that with -oneline/-o allows, for instance, to count amount of global interfaces (using "word" count with --lines/-l): sudo ip -o a s scope global | wc -l

iptables visualized

There's probably caveats, but these might be useful for understanding more of iptables/nft.

packet_flow10|251x499 ~ src: http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/

netfilter-tables-chains|294x500 ~ src: unknown

iptables migration to nft

See: iptables-translate --help. For instance: sudo iptables-translate --table nat --line-numbers -vnL produces: nft list table ip nat