IPTABLE rules validation

[Ivang]

Hi I am planning to build firewall UI for iptables command line. Can anyone please let me know is there any way to automatically validate the rules in the table.

For instance , intially
1> i add a rule to drop telnet connections from anywhere.
2>then i add a rule to accept telnet connections from anywhere.

for 2nd rule currently i delete the first rule by searching in the table and then add the 2nd rule.

So in the above case, is there a way by which i can say to delete the 1st rule automatically as its exactly inverse of 2nd one.


Please let me know.

Best Regards,
Ivan

[MSK61]

As far as I know, there's no such automatic way to accomplish this. What iptables does is very simple and systematic, pass the package through all the rules until it finds the first match. So in your case, any telnet connection would match the first rule, thus becomes blocked.
So I think a lot may be waiting for your smart UI to provide such a feature.

[stevea]

I'm no expert on iptables, but couldn't you match and goto another table which had a "DROP" rule, then to accomplish 2> you insert an ACCEPT rule prior to the DROP ?

[Ivang]

My only concern was to remove such invalid multiple rules which otherwise would create a large set of rules in the View Iptable rules page.

what i mean is, when user tries to see the iptable rules, he might see a big list of which few might be invalid because of others getting matched before them.


So i was looking at someway to clean up the iptable list.

Thanks for your inputs,
Ivan.

[Ivang]

Is there an easy way to parse iptables-L command or iptables-save output to determine these:
interface device, protocol, source address, source port, destination address, ..etc


I saw the iptable-xml.c at which converts iptables-save command output to XML
http://svn.netfilter.org/cgi-bin/vie...runk/iptables/

Any other pointers would be really helpful.


Best Regards,
Ivan