Score:1

Server

IPTables XARGS commands in shell script with no terminal

Giancarlo D

1/5/24, 1:07 AM

I am trying to configure an iptables rule that finds a matching IP and deletes as many instances it finds in a one liner. I have the command and it works in a traditional shell environment with path variables.

This one is running without a shell terminal, its part of an openvpn client-disconnect script. I have a working solution using the following commands to fine --line-number, sort in reverse then delete each line in a loop. Problem is dynamic nature of the IPtables rules can lead to accidentally deleting the wrong line.

Working: sudo -tt /sbin/iptables -t mangle -w -n -L --line-numbers | grep -w "$ifconfig_pool_remote_ip" | awk '{print $1}' | sort -nr

for i in $IPTABLES_RULEID ; do
        echo "================= Removing IPv4 Mangle Rule ID $i ===================="
        sudo -tt /sbin/iptables -w -t mangle -D PREROUTING $i
done

Here is what i'm trying to replace it with:

sudo -tt /sbin/iptables -t mangle -S PREROUTING | /usr/bin/grep -w "$ifconfig_pool_remote_ip" | sed 's/^-A //g' | /usr/bin/xargs -rL1 /sbin/iptables -t mangle -D

The error indicates its not parsing all the command line options

Jan 5 00:55:10 vpn1-udp-de openvpn[1240]: iptables v1.8.4 (nf_tables): Couldn't load match set':No such file or directory Jan 5 00:55:10 vpn1-udp-de openvpn[1240]: Try iptables -h' or 'iptables --help' for more information. Jan 5 00:55:10 vpn1-udp-de openvpn[1240]: iptables v1.8.4 (nf_tables): unknown option "--on-port" Jan 5 00:55:10 vpn1-udp-de openvpn[1240]: Try `iptables -h' or 'iptables --help' for more information.

ref:

/sbin/iptables -t mangle -S PREROUTING | grep -w 10.13.0.6
-A PREROUTING -s 10.13.0.6/32 -p udp -m set --match-set portsudp dst -j TPROXY --on-port 41201 --on-ip 127.0.0.1 --tproxy-mark 0x1/0x1
-A PREROUTING -s 10.13.0.6/32 -p tcp -j TPROXY --on-port 41201 --on-ip 127.0.0.1 --tproxy-mark 0x1/0x1

102

2 + 6

iptables

openvpn

xargs

Zoredache

1/5/24, 2:08 AM

It would be a lot easier to help if you showed us the output of `/sbin/iptables -t mangle -S PREROUTING`. I have no idea what rules you have, and guessing at what the problem is without any data is difficult.

Giancarlo D

1/5/24, 2:52 AM

Ok I edited the post and pasted the results of the command.

Zoredache

1/5/24, 9:20 AM

Odd, so if you manually try to run a command like `/sbin/iptables -t mangle -D PREROUTING -s 10.13.0.6/32 -p udp -m set --match-set portsudp dst -j TPROXY --on-port 41201 --on-ip 127.0.0.1 --tproxy-mark 0x1/0x1` from the command line does it correct remove the rule? What does the command look like that actually adds the rules in the first place?

Zoredache

1/5/24, 9:26 AM

Also, do you need to add an sudo to the `xargs`? Remember that `sudo` at the start of the `sudo -tt /sbin/iptables -t mangle -S PREROUTING` only applies to that first command in the pipeline. Everything else is probably not running with root privileges.

Zoredache

1/5/24, 9:35 AM

Also, do you need to insert a `-t mangle` into your command?

Giancarlo D

1/5/24, 2:10 PM

Yes if I run the command manually it works, im basically taking a printout of the current rule matching -s {IP} and prepending "iptables -t mangle -D"

Score:1

Server

parkamark

1/5/24, 11:24 AM

Do not use xargs for this. Take the output of the script and treat it as standard input into iptables-apply. You can do this by using an on-the-fly BASH file descriptor, something like:

iptables-apply <(myscript.sh)

or, I guess, the more traditional approach:

myscript.sh | iptables-apply

Note there is no space character between < and ( otherwise this doesn't work. As long as myscript.sh outputs in an expected format that is similar to what iptables save would give, this should work and it will not involve xargs at all.

+ 1

Giancarlo D

1/5/24, 2:27 PM

I tried echoing the command to a temp file then executing the file but without a terminal its not allowing me to echo STDOUT to a file. for example: sudo -tt /sbin/iptables -t mangle -S | grep -w $ifconfig_pool_remote_ip | sed 's/-A/iptables -t mangle -D/g' > $TMP

Score:0

Server

Zoredache

1/5/24, 9:47 AM

I wonder if something like this might work better

sudo /sbin/iptables -t mangle -S PREROUTING |
/usr/bin/grep -w "$ifconfig_pool_remote_ip" |
sed 's/^-A /iptables -t mangle -D /g' |
sudo /bin/sh -ex
# the -x is just there to echo the commands for debugging.

+ 1

Giancarlo D

1/5/24, 2:10 PM

Thank you for the suggestion, the results are uncharacteristic. Its echoing the correct command, if I literally copy and paste it will work, but its not executing, strange error message indeed. Jan 5 14:01:40 vpn1-udp-de openvpn[1240]: + iptables -t mangle -D PREROUTING -s 10.13.0.46/32 -p udp -m set --match-set portsudp dst -j TPROXY --on-port 45700 --on-ip 127.0.0.1 --tproxy-mark 0x1/0x1 Jan 5 14:01:40 vpn1-udp-de systemd[1]: session-c545357.scope: Succeeded. Jan 5 14:01:40 vpn1-udp-de openvpn[1240]: /bin/sh: line 1: iptables: command not found

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: IPTables XARGS commands in shell script with no terminal

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.