Iptables rules validation

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP


Iptables rules validation



I have a perl script that generates a shell script that will later be loaded by iptables on a remote machine. The data input for the perl script comes from a config file, where I can specify all kind of parameters for each rule.


perl


iptables



The problem is about validation, How would you validate the whole set of rules without the ability of executing it?



I have searched on CPAN and the closest solution was IPTables::Rule but it only validates some of the restrictions when it generates the rule. I can't use IPTables::IPv4 because it interacts directly with the host iptables.




4 Answers
4



This isn't directly achieveable. The iptables rules string syntax is parsed partly by iptables(8) and partly by the individual matching or action modules that are loaded. There's no standard way to parse the input without invoking the underlying C modules directly.


iptables


iptables(8)





Working with ternary logic (true, false, unknown) and abstracting over unknowns may still give you certain guarantees about your ruleset. Reference: academic paper - Semantics-Preserving Simplification of Real-World Firewall Rule Sets, Diekmann et al. Formal Methods 2015.
– corny
Apr 2 '16 at 16:54





Check out fffuu, the fancy formal firewall universal understander. It is a static analyzer for rulesets of the iptables firewall. The tool is still under active development (as of February 2017) and not completely finished yet. However, the core is completely formally verified and thus, you can trust it.



As input, it just needs the output of iptables-save. For your scenario, you could generate this output on a virtual machine.


iptables-save



What do you want to validate?



fffuu can:



Note that ITval has bugs, reported in Verified iptables Firewall Analysis by Cornelius Diekmann, Julius Michaelis, Maximilian Haslbeck, and Georg Carle. In IFIP Networking 2016, Vienna, Austria, May 2016 (Section 2, paragraph 2).



Disclaimer: I'm the author of fffuu, my views may be biased and fffuu is not perfect (yet). But hey, it's free and libre and I hope it helps. Feel free to reuse any of the code :-)





I can't help reading the name in a pronounceable way: as "fu-fu-fu" ;-)
– jpaugh
Feb 14 '17 at 21:59



check the following sf.net project http://sourceforge.net/projects/itval/





Note that link-only answers are discouraged, SO answers should be the end-point of a search for a solution (vs. yet another stopover of references, which tend to get stale over time). Please consider adding a stand-alone synopsis here, keeping the link as a reference.
– kleopatra
Dec 26 '13 at 13:30



Here is how I test rules in a sh script:


#!/bin/sh
/usr/sbin/iptables-restore --test < yourfileofrules
[ $? -ne 0 ] && {
echo File does NOT syntax check
exit 1
}



In perl, you'll execute the iptables-restore command in whatever way you prefer and then check for a '0' exit status for success.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Makefile test if variable is not empty

Makefile test if variable is not empty In a makefile I'm trying to I've created this simplified makefile to demonstrate my problem. Neither make a or make b executes the body of the if, I don't understand why not. make a make b .PHONY: a b a: $(eval MY_VAR = $(shell echo whatever)) @echo MY_VAR is $(MY_VAR) $(info $(MY_VAR)) ifneq ($(strip $(MY_VAR)),) @echo "should be executed" endif @echo done b: $(eval MY_VAR = $(shell echo '')) @echo MY_VAR is $(MY_VAR) $(info $(MY_VAR)) ifneq ($(strip $(MY_VAR)),) @echo "should not be executed" endif @echo done I'm using $ make --version GNU Make 3.81 There are several problems, and misunderstandings. Your MY_VAR is a make variable, set it without a <tab> to its value, and no need to $(eval ...) . MY_VAR:=$(shell echo whatever) is enough. No <tab> before $(info ...) neither, this is make – Zelnes
Read more

Will Oldham

Image
"Palace Music" redirects here. For the racehorse, see Palace Music (horse). Bonnie 'Prince' Billy Will Oldham, June 6, 2009 Background information Birth name William Oldham Also known as Palace Brothers Palace Music Bonnie 'Prince' Billy Born ( 1970-12-24 ) December 24, 1970 (age 47) Louisville, Kentucky, United States Genres Folk alternative country country freak folk [1] Years active 1993–present Labels Drag City, Domino, Spunk Associated acts Dawn McCarthy, The Cairo Gang, Mekons, Matt Sweeney, Mick Turner, Tortoise, Trembling Bells, Harem Scarem, The Picket Line, Alex Neilson, Björk, Slint Website www.bonnieprincebilly.com Will Oldham (born December 24, 1970), better known by the stage name Bonnie 'Prince' Billy , is an American singer-songwriter and actor. From 1993 to 1997, he performed and recorded under variations of the Palace name, including the Palace Brothers, Palace Songs, and Palace Music. After releasing material under his own name,
Read more

'Series' object is not callable Error / Statsmodels illegal variable name

Image
Clash Royale CLAN TAG #URR8PPP 'Series' object is not callable Error / Statsmodels illegal variable name Update: You can download my dataset here. I am running a simple OLS regression with statsmodels and pandas dataframe as following: import statsmodels.formula.api as sm import pandas as pd df=pd.read_csv("exp.csv") #df is a dataframe that I have containing many variable names such as AAPL, SPY, INF, etc. for column in df: result=sm.ols(formula="SPY"+" ~ "+column, data=df).fit() However, one of the column name in df is INF . I guess maybe INF is a reserved word for pasty, the code gives me the following error: INF INF Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/home/ap248/.local/easybuild/software/2017/Core/miniconda2/4.3.27/lib/python2.7/site-packages/statsmodels/base/model.py", line 155, in from_formula missing=missing) File "/home/ap248/.local/easybuild/softw
Read more