Searching conf file from fwbuilder policy compiler for iptables

[Mr_B]

Hi,
I have a complicated issue that I am hoping to overcome with a simple (ish) script, but I'm really not sure where to start.

I am using the fwbuilder policy compiler for iptables, which stores all existing rules etc in a file named conf.fw. The problem that I have is that the file contains literally thousands of IP addresses and address ranges which makes searching for meaningful information a nightmare.

To provide an example, let's say that one section of the config looks like this:

:Cid11223344.0 - [0:0]
-A FORWARD -p tcp -m tcp --dport 25 -m state --state NEW -j Cid11223344.0
-A Cid11223344.0 -d <IPAddress1> -j ACCEPT
-A Cid11223344.0 -d <IPAddress2> -j ACCEPT
-A Cid11223344.0 -d <IPAddress3> -j ACCEPT

Now, if I grep the file for <IPAddress3>, the result that I will get will not include the line '-A FORWARD -p tcp -m tcp --dport 25 -m state --state NEW -j Cid11223344.0' so I have no idea what the rule is for.

Obviously the example above is easy enough to overcome but I often need to search for /18 ranges, ensuring that I have the results for each individual IP in the range as well and the range itself - I then need to know what rule each IP address/range belongs to.

To make things a little more complicated, I need to produce the information in a user friendly format so that it can be understood by non-technical folk. So, what I am hoping for is a way of searching for, let's say 192.168.1.0/18 and producing a result that includes:

Source IP Address/Range, Destination IP Address/Range, Port, Protocol

Any help or advice would be greatly appreciated!

Chris

[Cabhan]

Well, there are a few possibilities.

I don't know anything about fwbuilder, but if every section of the file is like your example, I would think it pretty simple to grep for every line that contains the requested IP address and then search for the chain that you're adding it to. You could compile a big collection of these chains, then process the file again, this time looking for details of the chain.

Sorry I can't be of more help.

[Mr_B]

Well, there are a few possibilities.

I don't know anything about fwbuilder, but if every section of the file is like your example, I would think it pretty simple to grep for every line that contains the requested IP address and then search for the chain that you're adding it to. You could compile a big collection of these chains, then process the file again, this time looking for details of the chain.

Sorry I can't be of more help.

Thank you. I think I need to find a way to run a grep and then automatically grep a section of the result.

One problem is that there are sections of the file that are not formatted in the same way, but that's not too hard to work around because any lines that are not formatted as per my original example already contain the information I need to export.

So... Is it possible to automatically grep a grep result?

[Cabhan]

You can always pipe grep's output into another instance of grep. Or pipe grep's output into sed, do modifications, and pipe that to a new grep.

[Mr_B]

Cool, thanks.

[drl]

Hi.

If the format of the file is as you have written, then you can use a generalized context grep to extract windows of interesting text:

Code:

#!/bin/bash -

# @(#) s1       Demonstrate extracting pattern-delimited windows, cgrep.

echo
echo "(Versions displayed with local utility \"version\")"
version >/dev/null 2>&1 && version "=o" $(_eat $0 $1) cgrep
set -o nounset
echo

FILE=${1-data1}

echo " Data file $FILE:"
cat $FILE

echo
echo " Results:"
cgrep -D +I2 -+w "^:" "192.168.1.0/18" $FILE

exit 0

Producing:

Code:

% ./s1

(Versions displayed with local utility "version")
Linux 2.6.11-x1
GNU bash 2.05b.0
cgrep (local) - no version provided for ~/executable/cgrep.

 Data file data1:
:First item
-A FORWARD ... yadda yadda
:Cid11223344.0 - [0:0]
-A FORWARD -p tcp -m tcp --dport 25 -m state --state NEW -j Cid11223344.0
-A Cid11223344.0 -d <IPAddress1> -j ACCEPT
-A Cid11223344.0 -d <IPAddress2> -j ACCEPT
-A Cid11223344.0 -d 192.168.1.0/18 -j ACCEPT
-A Cid11223344.0 -d <IPAddress3> -j ACCEPT
:Someotheritem
-A FORWARD ... stuff
:Last item
-A FORWARD ... blah

 Results:
:Cid11223344.0 - [0:0]
-A FORWARD -p tcp -m tcp --dport 25 -m state --state NEW -j Cid11223344.0
-A Cid11223344.0 -d <IPAddress1> -j ACCEPT
-A Cid11223344.0 -d <IPAddress2> -j ACCEPT
-A Cid11223344.0 -d 192.168.1.0/18 -j ACCEPT
-A Cid11223344.0 -d <IPAddress3> -j ACCEPT

The options specify to bound the text window by the lines that begin with a ":", and the trailing delimiting line is excluded from the window. The cgrep code is available at cgrep home page -- I have found it to be solid and of great value in many instances. However, you will need to compile it and install it.

In your case, you will need to do more work for the friendly formatting, but the basic data is available. If necessary, you can allow a more visible marker to separate multiple windows; in the example, I turned that off with "-D".

Best wishes ... cheers, drl

[Mr_B]

Thank you drl,
Please can you tell me if you know a way of piping the results section to a file?

Cheers,

Chris

[drl]

Hi.

If I understand your question, you would like the results to be placed in a file, not displayed on the screen. That's called re-direction:

Code:

command options > filename-of-your-choice

That's a very commonly-available feature of shells. If you have not used that, I suggest you look over a few beginning tutorials -- for example, http://wooledge.org:8000/BashGuide or Bash Guide for Beginners

Best wishes ... cheers, drl

[Mr_B]

I'm not quite that dense

What I was looking for was a way to pipe only the result section out of the result but I've just run into a problem with the file formatting so it looks like the script is going to be more complicated that I first thought.

Thank you for your help anyway.