Convert iptables info to graph with graph-easy and graphviz
Result
create iptables chain graph. result is below.
Prerequisite
Install require commands
#sudo cpan Graph::Easy # for graph-easy command sudo apt-get install libgraph-easy-perl # or use this command sudo apt-get install graphviz # for dot command
Sample iptables chains
iptables-grizzly.txt
Chain INPUT (policy ACCEPT) target prot opt source destination quantum-openvswi-INPUT all -- anywhere anywhere ACCEPT gre -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere quantum-openvswi-FORWARD all -- anywhere anywhere ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere quantum-openvswi-OUTPUT all -- anywhere anywhere Chain neutron-filter-top (2 references) target prot opt source destination quantum-openvswi-local all -- anywhere anywhere Chain quantum-openvswi-FORWARD (1 references) target prot opt source destination quantum-openvswi-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tap40fae852-e1 --physdev-is-bridged quantum-openvswi-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tap40fae852-e1 --physdev-is-bridged Chain quantum-openvswi-INPUT (1 references) target prot opt source destination quantum-openvswi-o40fae852-e all -- anywhere anywhere PHYSDEV match --physdev-in tap40fae852-e1 --physdev-is-bridged Chain quantum-openvswi-OUTPUT (1 references) target prot opt source destination Chain quantum-openvswi-i40fae852-e (1 references) target prot opt source destination DROP all -- anywhere anywhere state INVALID RETURN all -- anywhere anywhere state RELATED,ESTABLISHED RETURN tcp -- anywhere anywhere tcp dpt:ssh RETURN icmp -- anywhere anywhere RETURN udp -- L100.BSTNMA-VFTTP-109.verizon-gni.net anywhere udp spt:bootps dpt:bootpc quantum-openvswi-sg-fallback all -- anywhere anywhere Chain quantum-openvswi-local (1 references) target prot opt source destination Chain quantum-openvswi-o40fae852-e (2 references) target prot opt source destination DROP all -- anywhere anywhere MAC ! FA:16:3E:20:ED:FD RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps DROP all -- !pool-100-0-0-2.bstnma.fios.verizon.net anywhere DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc DROP all -- anywhere anywhere state INVALID RETURN all -- anywhere anywhere state RELATED,ESTABLISHED RETURN all -- anywhere anywhere quantum-openvswi-sg-fallback all -- anywhere anywhere Chain quantum-openvswi-sg-chain (2 references) target prot opt source destination quantum-openvswi-i40fae852-e all -- anywhere anywhere PHYSDEV match --physdev-out tap40fae852-e1 --physdev-is-bridged quantum-openvswi-o40fae852-e all -- anywhere anywhere PHYSDEV match --physdev-in tap40fae852-e1 --physdev-is-bridged ACCEPT all -- anywhere anywhere Chain quantum-openvswi-sg-fallback (2 references) target prot opt source destination DROP all -- anywhere anywher
Convert to ascii graph
ubuntu@wan1-01:~$ cat iptables-grizzly.txt | sed -e "s/Chain \(.*\) (.*)/[Chain\1]/g" | sed "/\(target\|DNAT\|ACCEPT\|MASQUERADE\|SNAT\|DROP\|RETURN\|REJECT\).*/d" | sed -e "s/^\([^ ]*\) .*/[\1]/g" | sed "/^$/d" | awk -v ORS=, '{print $1}' | sed -e "s/\],\[Chain/] [Chain/g" | sed -e "s/\[Chain\([^ ,]*\),/[\1---->/g" | sed -e "s/\(.*\),/\1/g" | sed -e "s/Chain//g" | sed -e "s/\(.*\)---->/\1/g" | graph-easy
+--------------------------------+
| v
+-------------------------+ +--------------------------+ +------------------------------+ +------------------------------+ +------------------------------+
| FORWARD | --> | quantum-openvswi-FORWARD | --> | quantum-openvswi-sg-chain | --> | quantum-openvswi-i40fae852-e | --> | quantum-openvswi-sg-fallback |
+-------------------------+ +--------------------------+ +------------------------------+ +------------------------------+ +------------------------------+
| ^
+-------------------------------+ |
v |
+-------------------------+ +--------------------------+ +------------------------------+ |
| OUTPUT | --> | neutron-filter-top | --> | quantum-openvswi-local | |
+-------------------------+ +--------------------------+ +------------------------------+ |
| |
| |
v |
+-------------------------+ |
| quantum-openvswi-OUTPUT | |
+-------------------------+ |
+-------------------------+ +--------------------------+ +------------------------------+ |
| INPUT | --> | quantum-openvswi-INPUT | --> | quantum-openvswi-o40fae852-e | -------------------------------------------+
+-------------------------+ +--------------------------+ +------------------------------+
ubuntu@wan1-01:~$
Convert to png file with graphviz(dot command)
cat iptables-grizzly.txt | sed -e "s/Chain \(.*\) (.*)/[Chain\1]/g" | sed "/\(target\|DNAT\|ACCEPT\|MASQUERADE\|SNAT\|DROP\|RETURN\|REJECT\).*/d" | sed -e "s/^\([^ ]*\) .*/[\1]/g" | sed "/^$/d" | awk -v ORS=, '{print $1}' | sed -e "s/\],\[Chain/] [Chain/g" | sed -e "s/\[Chain\([^ ,]*\),/[\1---->/g" | sed -e "s/\(.*\),/\1/g" | sed -e "s/Chain//g" | sed -e "s/\(.*\)---->/\1/g" | graph-easy -as dot | dot -Tpng -o iptables-grizzly.png
Other iptables chain
- VM count:3
- Neutron Plugin:Open vSwitch
Other iptables chain 2
OpenStack Essex
