Remove duplicate iptables rules?

Freek

I see I have some duplicate iptables rules on my server.
Is there a command/script to remove to remove duplicate rules automatically?
I found this script, but I don't trust it too much: http://elliottback.com/wp/iptables-bash-shell-cleanup-script/

AnthonySmith

A bash script to list your rules, echo them in to a file, run diff/sort on them, flush current rules and apply the clean set would be simple enough, drop me an email if you want, I could write you something fairly quick with a backup option just for confidence

natestamm

@Freek i take it out of the control of any other Net services and handle iptables with my own scripts. Just my two

taronyu

Isn't CSF a solution for this?

Rallias

@AnthonySmith said: A bash script to list your rules

iptables-save

@AnthonySmith said: echo them in to a file

> /etc/iptables.conf

@AnthonySmith said: run diff/sort on them

This I don't know.

@AnthonySmith said: flush current rules

iptables -F

@AnthonySmith said: and apply the clean set

iptables-restore < /etc/iptables.conf

yomero

Or just create an script with your rules and flush the rules at the start

dmmcintyre3

Just comment out the duplicate rules in /etc/sysconfig/iptables and run service iptables restart

Rallias

@dmmcintyre3 said: Just comment out the duplicate rules in /etc/sysconfig/iptables and run service iptables restart

Only if on an RHEL-based distro.

AuroraZ

@yomero said: Or just create an script with your rules and flush the rules at the start

This is what I do on my servers works well. Can also use the script on what ever distro you install.

t3k9

iptables-save | uniq | iptables-restore

kro

Lol @ win

Damian

^^^^ that's what we use on a 24hr cron task.

bdtech

Does uniq mess up the order of rules?

Rallias

@t3k9 That won't work. Uniq only works if a line occurs twice in a row, which may not be the case in an iptables ruleset.

FFFlip

awk! awk!

iptables-save | awk ' !x[$0]++' | iptables-restore

Famous Awk One-Liners Explained: 43. Remove duplicate, nonconsecutive lines

yomero

@Rallias said: @t3k9 That won't work. Uniq only works if a line occurs twice in a row, which may not be the case in an iptables ruleset.

| sort | uniq

FFFlip

@yomero said: | sort | uniq

fscking with the order of things in iptables-land ist verboten!

yomero

@FFFlip said: order of things in iptables

Indeed n_n

So, my first recommendation stays, just do an script ¬_¬

Rallias

#!/usr/bin/perl open( my $iptablesSave, "-|", "iptables-save"); my @iptablesOrig; (@iptables) = <$iptablesSave>; close $iptablesSave; my @iptablesOut; foreach my $line (@iptablesOrig) { my $push = 1; foreach my $check (@iptablesOut) { if $check == $line { $push = 0; } } if $push == 1 { push $line, @iptablesOut; } } my $iptablesOut = join ("\n" @iptablesOut); open (my $iptablesRestore, "|-", "iptables-restore"); print $iptablesRestore $iptablesOut; close ($iptablesRestore);

No guarantees.

Freek

@AnthonySmith said: drop me an email if you want

Done But as t3k9's command also works, so it's not necessary anymore. But if you want to show off your bash skills, feel free to do so

@t3k9 said: iptables-save | uniq | iptables-restore

Works like a charm, thanks!

@FFFlip said: iptables-save | awk ' !x[$0]++' | iptables-restore

root@gunther:~# iptables-save | awk ' !x[$0]++' | iptables-restore
Bad argument *filter' Error occurred at line: 14 Tryiptables-restore -h' or 'iptables-restore --help' for more information.

@Rallias said: This I don't know.

Haha that's the magic

@dmmcintyre3 said: Just comment out the duplicate rules in

Wasn't planning on commenting out 40 duplicate lines.

FFFlip

nvm