1

I am writing a script that needs to check if iptables is empty.

The only idea I have is to do "iptables-save" and compare it with a "iptables-save" of an empty iptables.

However, I'm not sure whether I can count on it that "iptables-save" produces the same result on every host for empty iptables.

Any idea?

Improve this question
1
  • iptables -L and parse if necessary? Commented Feb 9, 2015 at 23:12

2 Answers 2

Reset to default
3

You can use iptables-save and grep for lines starting with -:

Empty iptables: 

sudo iptables-save | grep '^\-' | wc -l
0

Non empty:

sudo iptables-save | grep '^\-' | wc  -l 
13
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Have you tried the --list (-L) argument?

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

That output shows that there are no firewall entries.

If it did output you would see something like this...

$ sudo iptables -n -L -v --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
3    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
5    wanin      all  --  0.0.0.0/0            0.0.0.0/0
6    wanout     all  --  0.0.0.0/0            0.0.0.0/0
7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain wanin (1 references)
num  target     prot opt source               destination
Chain wanout (1 references)
num  target     prot opt source               destination

EDIT: Here is a one liner you can use: echo "$(sudo iptables -n -L -v --line-numbers)" | egrep "^[0-9]". Then just test if $? is 1 or 0. If its 0 then there are active firewall rules, if 1 then no active rules.

$ echo "$(sudo iptables -n -L -v --line-numbers)" | egrep "^[0-9]"
1        0     0 DROP       all  --  *      *       202.54.1.2           0.0.0.0/0
$
$ echo $?
0
$
$ sudo iptables -D INPUT 1
$
$ echo "$(sudo iptables -n -L -v --line-numbers)" | egrep "^[0-9]"
$ echo $?
1

EDIT: Or using wc -l might be better....

echo "$(sudo iptables -n -L -v --line-numbers)" | egrep "^[0-9]" | wc -l
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.