List of loaded iptables modules
Is there any convenient 开发者_运维技巧way to show loaded iptables module list? I can show installed modules by listing /lib/iptables/
(or /lib64/iptables/
) directory but I need active modules list.
Loaded iptables modules can be found in /proc/net/ip_tables_matches proc filesystem entry.
cat /proc/net/ip_tables_matches
In PHP I can access the loaded iptables modules by loading and exploding file contents:
$content = file_get_contents('/proc/net/ip_tables_matches');
$modules = explode("\n", $content);
Of course it requires proc filesystem to be mounted (Most GNU Linux distros mount it by default)
This is a really old post but here we go:
# lsmod | grep ip
shows a list of loaded modules, which I think most are related to iptables...
/proc/net/ip_tables_matches
doesn't show modules (at least not in RHEL 6)
Take a look in the following directory (replace per your kernel version):
ls /lib/modules/2.6.32-504.8.1.el6.x86_64/kernel/net/netfilter/
You can load the module using (dropping the .ko
as listed in the directory):
modprobe nf_conntrack_ftp
Alternatively, you can ensure it's loaded at boot by adding it to:
/etc/sysconfig/iptables-config (RHEL/CENTOS)
IPTABLES_MODULES="nf_conntrack_ftp"
This seems to be poorly documented.
Try this for a fast overview on the netfilter modules present on your system, here a one-liner for pasting:
for i in /lib/modules/$(uname -r)/kernel/net/netfilter/*; do echo -e "\e[33;1m$(basename "$i")\e[0m"; strings "$i" | \grep -e description -e depends| sed -e 's/Xtables: //g' -e 's/=/: /g' -e 's/depends=/depends on: /g'; echo; done
Again for readability, with added newlines:
#!/bin/bash
for i in /lib/modules/$(uname -r)/kernel/net/netfilter/*
do
echo -e "\e[33;1m$(basename "$i")\e[0m"
strings "$i" | \grep -e description -e depends | sed -e 's/Xtables: //g' -e 's/=/: /g' -e 's/depends=/depends on: /g'
echo
done
Filename will appear in yellow, from which you can guess if the module in question exists or not. Description and dependencies are the next two lines below.
This will not cover everything (because this would be too easy, ofc). Only looking up the modules manually, to see if they exist, gives you 100% accurate information.
iptables -m <match/module name> --help
If a module exists on your system, at the end of the help text you will get some info on how to use it:
ctr-014# iptables -m limit --help
iptables v1.4.14
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
...
[!] --version -V print package version.
limit match options:
--limit avg max average match rate: default 3/hour
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--limit-burst number number to match in a burst, default 5
ctr-014#
It the module is not present on your system:
ctr-014# iptables -m iplimit --help
iptables v1.4.14: Couldn't load match `iplimit':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
ctr-014#
As Gonio has suggested lsmod lists all loaded kernel modules, but grepping "ip" won't give you all iptables modules.
I would rather use
lsmod|grep -E "nf_|xt_|ip"
and still, I'm not sure the list will be complete.
As an alternative method, this can also be done with a Python script.
First make sure you have the iptc library. sudo pip install --upgrade python-iptables
(Assuming Python3 is your version)
import iptc
table = iptc.Table(iptc.Table.FILTER)
for chain in table.chains:
print("------------------------------------------")
print("Chain ", chain.name)
for rule in chain.rules:
print("Rule ", "proto", rule.protocol, "src:", rule.src, "dst:" , rule.dst, "in:", rule.in_interface, "out:", rule.out_interface)
print("Matches:")
for match in rule.matches:
print(match.name)
print("Target:")
print(rule.target.name)
print("------------------------------------------")
精彩评论