You can list iptables rules with rule numbers using the --line-numbers option, but this only works in list (-L) mode. I find it much more convenient to view rules using the output from iptables -S or iptables-save.

You can augment the output from these commands with rule numbers with the following awk script:

1
2
3
4
5
6
7
#!/bin/awk -f

state == 0 && /^-A/ {state=1; chain=$2; counter=1; printf "\n"}
state == 1 && $2 != chain {chain=$2; counter=1; printf "\n"}
!/^-A/ {state=0}
state == 1 {printf "[%03d] %s\n", counter++, $0}
state == 0 {print}

This will produce output along the lines of:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N LARS

[001] -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
[002] -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
[003] -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
[004] -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
[005] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[006] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[007] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[008] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT

[001] -A FORWARD -j DOCKER-ISOLATION
[002] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[003] -A FORWARD -o docker0 -j DOCKER
[004] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[005] -A FORWARD -i docker0 -o docker0 -j ACCEPT

[001] -A DOCKER-ISOLATION -i br-c9ab3aa72e98 -o docker0 -j DROP
[002] -A DOCKER-ISOLATION -i docker0 -o br-c9ab3aa72e98 -j DROP
[003] -A DOCKER-ISOLATION -i br-74ee392a7301 -o docker0 -j DROP
[004] -A DOCKER-ISOLATION -i docker0 -o br-74ee392a7301 -j DROP
[005] -A DOCKER-ISOLATION -i br-6b5fa040c423 -o docker0 -j DROP
[006] -A DOCKER-ISOLATION -i docker0 -o br-6b5fa040c423 -j DROP
[007] -A DOCKER-ISOLATION -i br-438e4f71d66d -o docker0 -j DROP
[008] -A DOCKER-ISOLATION -i docker0 -o br-438e4f71d66d -j DROP

That makes it much easier if you're trying to insert or delete rules by index (as in iptables -I INPUT 7 ...). I keep the awk code itself in a script named number-rules so that running it locally usually looks like:

# iptables -S | number-rules | less

Administrivia: Pelican and theme update

Fri 26 January 2018 by Lars Kellogg-Stedman Tags administrivia

I've just refreshed the version of Pelican used to generate this blog, along with the associated themes and plugins. It all seems to be working, but if you spot a problem feel free to drop me a line.

read more

Fun with devicemapper snapshots

Thu 25 January 2018 by Lars Kellogg-Stedman Tags storage devicemapper

I find myself working with Raspbian disk images fairly often. A typical workflow is:

  • Download the disk image.
  • Mount the filesystem somewhere to check something.
  • Make some changes or install packages just to check something else.
  • Crap I've made changes.

...at which point I need to fetch a new copy …

read more

Safely restarting an OpenStack server with Ansible

Wed 24 January 2018 by Lars Kellogg-Stedman Tags ansible openstack

The other day on #ansible, someone was looking for a way to safely shut down a Nova server, wait for it to stop, and then start it up again using the openstack cli. The first part seemed easy:

- hosts: myserver
  tasks:
    - name: shut down the server
      command: poweroff
      become: true …
read more

Some notes on PWM on the Raspberry Pi

Tue 26 September 2017 by Lars Kellogg-Stedman Tags raspberrypi pwm

I was recently working on a project in which I wanted to drive a simple piezo buzzer attached to a GPIO pin on a Raspberry Pi. I was already using the RPi.GPIO module in my project so that seemed like a logical place to start, but I ran into …

read more