due transition from "iptables-legacy" to "iptables-nft" i wrote this
function but the problem is that raw, mangle and especially nat seems to
be loaded by the compat-layer
that ends in useless tables and chains on machines only using "-t
filter" which some overhead given the counters are going up
is there a better way for "function loaded_tables" and/or at least a
scriptable one to delete such unused tables and chains at the end of
"iptables.sh" beore the ruleset is saved?
the goal is like before if "iptable.sh" is using "-t mangle" just use
it, load what is needed and when not keep it outside the ruleset in a
generic way
we share "iptables.sh" between all machines (host-firewalls after the
datacenter-firewall which has completly differnets scripts) because the
default policies are all the same and specific stuff can be wrapped in
if-statements depending on $HOSTNAME
------------------------------------------------------------------------------------------------
in case of "nat" that end in loading useless modules and afterward you
have that all in the save-file
nft_chain_nat 16384 4
nf_nat 53248 1 nft_chain_nat
nf_conntrack 159744 4
xt_conntrack,nf_nat,nf_conncount,xt_connlimit
libcrc32c 16384 2 nf_conntrack,nf_nat
nf_tables 229376 327 nft_compat,nft_counter,nft_chain_nat
------------------------------------------------------------------------------------------------
function loaded_tables
{
local TABLE TABLES
if [ "$IPTABLES_NFT" == 0 ]; then
for TABLE in $(<'/proc/net/ip_tables_names'); do
TABLES="${TABLES}\n${TABLE}"; done
else
for TABLE in raw mangle filter nat wtf; do if [ "$(iptables-nft -t
"$TABLE" -L 2> '/dev/null')" != '' ]; then TABLES="${TABLES}\n${TABLE}";
fi; done
fi
echo -e "$TABLES" | sort | uniq | awk 'NF'
}
------------------------------------------------------------------------------------------------
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
LOADED_TABLES="$(loaded_tables)"
for table in $LOADED_TABLES; do $IPTABLES -t "$table" -F; done
for table in $LOADED_TABLES; do $IPTABLES -t "$table" -X; done
------------------------------------------------------------------------------------------------
IPV4 TABLE MANGLE (STATEFUL PRE-NAT/FILTER)
------------------------------------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 7719K packets, 2360M bytes)
num pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 7719K packets, 2360M bytes)
num pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 6973K packets, 12G bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 6973K packets, 12G bytes)
num pkts bytes target prot opt in out source
destination
------------------------------------------------------------------------------------------------
IPV4 TABLE NAT
------------------------------------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 605K packets, 40M bytes)
num pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 605K packets, 40M bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 342K packets, 30M bytes)
num pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 342K packets, 30M bytes)
num pkts bytes target prot opt in out source
destination
------------------------------------------------------------------------------------------------
IPV4 TABLE RAW (STATELESS PRE-CONNTRACK)
------------------------------------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 7719K packets, 2360M bytes)
num pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 6973K packets, 12G bytes)
num pkts bytes target prot opt in out source
destination
(END)
