已加载的 iptables 模块列表
[英]List of loaded iptables modules
问题描述
Is there any convenient way to show loaded iptables module list?
有没有什么方便的方法来显示加载的 iptables 模块列表? I can show installed modules by listing /lib/iptables/ (or /lib64/iptables/ ) directory but I need active modules list.我可以通过列出/lib/iptables/ (或/lib64/iptables/ )目录来显示已安装的模块,但我需要活动模块列表。
6 个解决方案
解决方案1
27 已采纳 2010-01-15 09:24:19
Loaded iptables modules can be found in /proc/net/ip_tables_matches proc filesystem entry.加载的iptables模块可以在/proc/net/ip_tables_matches proc 文件系统条目中找到。
cat /proc/net/ip_tables_matches
In PHP I can access the loaded iptables modules by loading and exploding file contents:在 PHP 中,我可以通过加载和分解文件内容来访问加载的iptables模块:
$content = file_get_contents('/proc/net/ip_tables_matches');
$modules = explode("\n", $content);
Of course it requires proc filesystem to be mounted (Most GNU Linux distros mount it by default)当然,它需要挂载 proc 文件系统(大多数 GNU Linux 发行版默认挂载它)
解决方案2
5 2012-10-31 04:13:31
This is a really old post but here we go:这是一个非常古老的帖子,但我们继续:
# lsmod | grep ip
shows a list of loaded modules, which I think most are related to iptables... /proc/net/ip_tables_matches doesn't show modules (at least not in RHEL 6)显示已加载模块的列表,我认为大多数与 iptables 相关... /proc/net/ip_tables_matches不显示模块(至少在 RHEL 6 中没有)
解决方案3
3 2015-02-17 23:20:36
Take a look in the following directory (replace per your kernel version):查看以下目录(根据您的内核版本替换):
ls /lib/modules/2.6.32-504.8.1.el6.x86_64/kernel/net/netfilter/
You can load the module using (dropping the .ko as listed in the directory):您可以使用(删除目录中列出的.ko文件)加载模块:
modprobe nf_conntrack_ftp
Alternatively, you can ensure it's loaded at boot by adding it to:或者,您可以通过将其添加到以下内容来确保它在启动时加载:
/etc/sysconfig/iptables-config (RHEL/CENTOS)
IPTABLES_MODULES="nf_conntrack_ftp"
This seems to be poorly documented.这似乎没有很好的记录。
解决方案4
2 2014-03-24 08:46:12
As Gonio has suggested lsmod lists all loaded kernel modules, but grepping "ip" won't give you all iptables modules.正如 Gonio 建议 lsmod 列出所有加载的内核模块,但 grepping "ip" 不会给你所有的 iptables 模块。
I would rather use我宁愿使用
lsmod|grep -E "nf_|xt_|ip"
and still, I'm not sure the list will be complete.不过,我不确定这份清单是否完整。
解决方案5
2 2015-03-09 10:53:50
Try this for a fast overview on the netfilter modules present on your system, here a one-liner for pasting:试试这个,快速了解系统中存在的 netfilter 模块,这里是一个用于粘贴的单行:
for i in /lib/modules/$(uname -r)/kernel/net/netfilter/*; do echo -e "\e[33;1m$(basename "$i")\e[0m"; strings "$i" | \grep -e description -e depends| sed -e 's/Xtables: //g' -e 's/=/: /g' -e 's/depends=/depends on: /g'; echo; done
Again for readability, with added newlines:再次为了可读性,添加了换行符:
#!/bin/bash
for i in /lib/modules/$(uname -r)/kernel/net/netfilter/*
do
echo -e "\e[33;1m$(basename "$i")\e[0m"
strings "$i" | \grep -e description -e depends | sed -e 's/Xtables: //g' -e 's/=/: /g' -e 's/depends=/depends on: /g'
echo
done
Filename will appear in yellow, from which you can guess if the module in question exists or not.文件名将显示为黄色,您可以从中猜测相关模块是否存在。 Description and dependencies are the next two lines below.描述和依赖关系是下面接下来的两行。
This will not cover everything (because this would be too easy, ofc).这不会涵盖所有内容(因为这太容易了,ofc)。 Only looking up the modules manually, to see if they exist, gives you 100% accurate information.仅手动查找模块以查看它们是否存在,即可为您提供 100% 准确的信息。
iptables -m <match/module name> --help
If a module exists on your system, at the end of the help text you will get some info on how to use it:如果您的系统上存在模块,则在帮助文本的末尾,您将获得有关如何使用它的一些信息:
ctr-014# iptables -m limit --help
iptables v1.4.14
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
...
[!] --version -V print package version.
limit match options:
--limit avg max average match rate: default 3/hour
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--limit-burst number number to match in a burst, default 5
ctr-014#
It the module is not present on your system:如果您的系统上不存在该模块:
ctr-014# iptables -m iplimit --help
iptables v1.4.14: Couldn't load match `iplimit':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
ctr-014#
解决方案6
0 2019-02-05 16:57:27
As an alternative method, this can also be done with a Python script.作为替代方法,这也可以使用 Python 脚本来完成。
First make sure you have the iptc library.首先确保你有 iptc 库。 sudo pip install --upgrade python-iptables须藤 pip install --upgrade python-iptables
(Assuming Python3 is your version) (假设 Python3 是您的版本)
import iptc
table = iptc.Table(iptc.Table.FILTER)
for chain in table.chains:
print("------------------------------------------")
print("Chain ", chain.name)
for rule in chain.rules:
print("Rule ", "proto", rule.protocol, "src:", rule.src, "dst:" , rule.dst, "in:", rule.in_interface, "out:", rule.out_interface)
print("Matches:")
for match in rule.matches:
print(match.name)
print("Target:")
print(rule.target.name)
print("------------------------------------------")
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.