模板
教程
环境
性能
功能
管理
原创:iptables做NAT时 查看NAT转发表
发表于:2007-07-04来源:作者:点击数:
标签:
iptables做NAT时如何看NAT转发表呢,可以用cat-n/proc/net/ip_conntrack就看到屏幕晃动一阵就过去了,看上去很乱,后来写了个小脚本,看上去不错,跟大家共享 Name:nat Path:/sbin/ ----------------------------------------------------------------------
iptables做NAT时如何看NAT转发表呢,可以用cat -n /proc/net/ip_conntrack 就看到屏幕晃动一阵就过去了,看上去很乱,后来写了个小脚本,看上去不错,跟大家共享
Name:nat
Path:/sbin/
--------------------------------------------------------------------------
#!/bin/bash
case "$1" in
-t)
cat -n /proc/net/ip_conntrack |grep tcp |awk '{print $2"\t"$5"\t"$6"\t"$7"\t"$8"\t"$9"\t"$11}'|more
echo
sun= cat /proc/net/ip_conntrack|grep -c src
echo
echo
echo
;;
-u)
cat -n /proc/net/ip_conntrack |grep udp |awk '{print $2"\t"$5"\t"$6"\t"$7"\t"$8"\t"$10}'|more
echo
sun= cat /proc/net/ip_conntrack|grep -c src
echo
echo
echo
;;
-a)
cat -n /proc/net/ip_conntrack |grep tcp |awk '{print $2"\t"$5"\t"$6"\t"$7"\t"$8"\t"$9"\t"$11}'|more
cat -n /proc/net/ip_conntrack |grep udp |awk '{print $2"\t"$5"\t"$6"\t"$7"\t"$8"\t"$10}'|more
echo
sun= cat /proc/net/ip_conntrack|grep -c src
echo
echo
echo
;;
*)
echo "Usage {-t Tcp | -u Udp }"
echo
echo "Write By LouLancn@163.com"
echo
exit 1
esac
exit 0
----------------------------------------------------------------------
chmod a+x /sbin/nat
个人感觉比较实用,能随时查看网络状态
根据platinum提出的分屏问题,稍做了一下修改!
| platinum 回复于:2005-03-25 17:02:41 |
| 写的很好,很实用,而且是一个很好的shell的例子 |
| platinum 回复于:2005-03-25 17:06:03 |
| 我发现\t对TAB的控制不是很好,如果src的地址长短不一,显示出来就非常难看,这个如何解决? |
| cgweb 回复于:2005-03-25 17:07:49 |
| perfect |
| loulancn 回复于:2005-03-25 17:08:39 |
| 我也发现这个问题了,暂时还没找到解决方法,还请高人指点! |
| sxqw 回复于:2005-03-25 22:48:40 |
| 用 iptstate 这个命令也可以呀 |
| platinum 回复于:2005-03-25 23:11:28 |
| [quote:34864cb2f4="sxqw"]用 iptstate 这个命令也可以呀[/quote:34864cb2f4] 这个好是好,可惜没办法翻屏查看,只能看现有屏幕内的 :( |
| 60133056 回复于:2005-03-25 23:59:19 |
| 厉害 牛人 |
| whd 回复于:2005-03-26 07:57:23 |
| 请问一下,学习写脚本该从哪里入手呢,也就是该先掌握哪些知识呢,看什么书什么的,经常地照猫画虎真的很无聊,请大家指点阿 |
| KindGeorge 回复于:2005-03-26 08:23:06 |
| 不错.收藏研究下.谢谢分享 |
| SunLife 回复于:2005-03-26 22:47:19 |
| 用 printf("%-xxxd",ffffffffffff) 来解决 echo的对齐功能很差 |
| laoheimao 回复于:2005-03-27 09:06:24 |
| #!/usr/bin/perl -w # # Purpose: # # Quick jobber to do some parsing of the iptables connection # tracking from /proc and print it out a little nicer. # (and to make Godot quit bugging me, of course ) # # Options: # -P This enables port lookups (translating ports -> services [Should be f st]) # -p This disables port lookups # # You can set the defaults for both of these below, 1 == lookup, # 0 == don't. The commandline switches override defaults. # # Author: # # Brian Poole, http://www.cerias.purdue.edu/homes/rajak/ # # LICENSE: # # This is licensed under the BSD license, in other words # do what you will, I don't care, just don't blame me. # I assume no liability for any incompetent usage of this # script, nor of any poor coding (though of course there # none of THAT!). #print "Content-type: text/plain\n\n"; $PORT_LOOKUPS = 1; if (defined @ARGV and $#ARGV != 0){ & } elsif (defined @ARGV){ if ($ARGV[0] eq "-p"){ $PORT_LOOKUPS = 0; } elsif ($ARGV[0] eq "-P"){ $PORT_LOOKUPS = 1; } else { & } } # Hey! Who told you that you could read my code! GET OUTTA HERE!#%^!@# # First lets grab the data from the proc entry.. open INPUT, "</proc/net/ip_conntrack" or die "Unable to read input: $!\n"; while (<INPUT>){ push @{ $records{(split " ")[0]} }, $_; } close INPUT; if (defined %records){ print " Current connections being tracked by netfilter\n\nProt Src IP Src Port State Dst IP Dst Port\n\n"; foreach $key (keys %records) { $proto = uc $key; for $i (0 .. $#{ $records{$key} } ){ # Assigning that bad boy into a variable because I don't like having to t pe all that every time ;) my $log = $records{$key}[$i]; # Zero out the port vars (we can't guarantee we have replaces to match th m since some protocols (ICMP)) # don't have ports. Then do a match and shove the vars into place as appr priate. ($dport, $sport ) = ("",""); if( $log =~ /^.*?src=(.*?) dst=(.*?) (?:sport=(\d{1,5}) dport=(\d{1,5}) ) /) { ($srcip, $dstip) = ($1,$2); ($sport, $dport) = ($3,$4) if (defined $3 and defined $4); } else { report($log); } # This is detection of what ip_conntrack state the particular item is in, base is <--NORM--> (just regular) # the others are done as detected. I have a special check that if more th n one []'s found to die and # report just because I'm not completely sure if this is impossible and I need to know if not. $state = "<--NORM-->"; if ( $log =~ /\[ASSURED\]/ ){ $state = "<==ASRD==>"; } if ( $log =~ /\[UNREPLIED\]/ ){ report($log) if $state ne "<--NORM-->"; $state = " --UNRE-->"; } if ( $log =~ /\[UNCONFIRMED\]/ ){ report($log) if $state ne "<--NORM-->"; $state = "<--UNCO-- "; } if ($PORT_LOOKUPS and $sport ne "" and $dport ne ""){ my $name = (getservbyport $sport, $key)[0]; $sport = $name if defined $name; undef $name; $name = (getservbyport $dport, $key)[0]; $dport = $name if defined $name; } write; } print "\n"; } } else { # No tracked connections.. weird. print "\nNo connections currently being tracked.\n"; } exit; # All of those -- err, that one subroutine # -- Make that TWO! I'm all about efficiency baby. sub usage { die "IP connection tracker\n", "Written by Brian Poole <raj\@cerias.purdue.edu>\n", "\nUsage: $0 [-Pp]\n", "\n-P enables port -> service mappings\n", "-p disables port -> service mappings\n\n"; } sub report { die "Please mail the following log entry to raj\@cerias.purdue.edu for debug ing purposes.\n\n$_[0]\n"; } # The format.. duh. |
| JavaJing 回复于:2005-03-29 08:42:57 |
| 请问有些什么好的资料吗 |
| sxqw 回复于:2005-03-31 09:01:23 |
| [quote:a433358283="platinum"] 这个好是好,可惜没办法翻屏查看,只能看现有屏幕内的 :([/quote:a433358283] iptstate -s 是不是你说的效果 |
| platinum 回复于:2005-03-31 09:34:10 |
| [quote:20f3310051="sxqw"] iptstate -s 是不是你说的效果[/quote:20f3310051] 真是惭愧,我应该好好看看man :em06: |
| james_h 回复于:2005-03-31 10:40:16 |
| ipstate 是单独的软件包,不是 iptables 内置功能。 |
| platinum 回复于:2005-03-31 10:42:46 |
| [quote:58b61e1f42="james_h"]ipstate 是单独的软件包,不是 iptables 内置功能。[/quote:58b61e1f42] 是的,需要去下载,sourceforge上就有,比较早期的产品 |
| LordYu·lee 回复于:2005-04-12 09:57:04 |
| [quote:f775c6d186]我发现\t对TAB的控制不是很好,如果src的地址长短不一,显示出来就非常难看,这个如何解决?[/quote:f775c6d186] 你多用几个\t\t\t\t不就行了吗? |
| platinum 回复于:2005-04-12 19:46:25 |
| [quote:5ed93a049d="LordYu·lee"] 你多用几个\t\t\t\t不就行了吗?[/quote:5ed93a049d] 一看就知道你是信口开河的 :mrgreen: |
