Recently, i was tinkering around with network-related matters in qubes. And found these things to come in handy, so i am sharing them here. Not qubes-os specific, by the way.

retrieving network information with iptables & ip

In a single line that can be double-clicked and then pasted from secondary/middle-click:

{ format='' ; : '\n--- %s ---\n' ; for table in filter mangle nat raw security ; do test -z "${format?}" || printf "${format?}" "${table?}" ; sudo iptables --table $table --line-numbers -vnL ; done ;} |  sed -E 's/^Chain.*$/\x1b[4m&\x1b[0m/' |  sed -E 's/^num.*/\x1b[33m&\x1b[0m/' |  sed -E '/([^y] )((REJECT|DROP))/s//\1\x1b[31m\3\x1b[0m/' |  sed -E '/([^y] )(ACCEPT)/s//\1\x1b[32m\2\x1b[0m/' |  sed -E '/([ds]pt[s]?:)([[:digit:]]+(:[[:digit:]]+)?)/s//\1\x1b[33;1m\2\x1b[0m/' |  sed -E '/([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}(\/([[:digit:]]){1,3}){0,1}/s//\x1b[36;1m&\x1b[0m/g' |  sed -E '/([^n] )(LOGDROP)/s//\1\x1b[33;1m\2\x1b[0m/'|  sed -E 's/ LOG /\x1b[36;1m&\x1b[0m/' ; sudo ip -6 -c a s ; sudo ip -6 -c r s ; sudo ip -4 -c r s ; sudo ip -4 -c a s ;

To have “headers” for the iptables output, remove ' ; : ' from the beginning, so:

- { format='' ; : '\n
+ { format='\n

Or, split over multiple lines (semicolons (;) removed).

{
    {
        for table in filter mangle nat raw security
        do
            cmd="sudo iptables --table ${table?} --line-numbers --verbose --numeric --list"
            # aka sudo iptables --line-numbers -t nat -nvL
            printf '\n--- result of command: %s ---\n' "${cmd?}"
            ${cmd?}
        done
        unset cmd
    } |
        sed -E 's/^Chain.*$/\x1b[4m&\x1b[0m/' |
        sed -E 's/^num.*/\x1b[33m&\x1b[0m/' |
        sed -E '/([^y] )((REJECT|DROP))/s//\1\x1b[31m\3\x1b[0m/' |
        sed -E '/([^y] )(ACCEPT)/s//\1\x1b[32m\2\x1b[0m/' |
        sed -E '/([ds]pt[s]?:)([[:digit:]]+(:[[:digit:]]+)?)/s//\1\x1b[33;1m\2\x1b[0m/' |
        sed -E '/([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}(\/([[:digit:]]){1,3}){0,1}/s//\x1b[36;1m&\x1b[0m/g' |
        sed -E '/([^n] )(LOGDROP)/s//\1\x1b[33;1m\2\x1b[0m/' |
        sed -E 's/ LOG /\x1b[36;1m&\x1b[0m/' |
    : ;
    sudo ip -color -family inet6 address show # aka -6 -c a s
    sudo ip -color -family inet6 route show # aka   -6 -c r s
    sudo ip -color -family inet route show # aka    -4 -c r s
    sudo ip -color -family inet address show # aka  -4 -c a s
}

Perhaps of interest, in man ip is documented:

• -json [-pretty] (usable with javascript object notation (JSON) parsing tools, for instance: jq)
• -oneline (allows for counting/enumerating or new-line separated iteration)

Another thing that might come in handy, is to limit addresses to the global scope, by doing:
sudo ip -c a s scope global

Combining that with -oneline/-o allows, for instance, to count amount of global interfaces (using “word” count with --lines/-l):
sudo ip -o a s scope global | wc -l

iptables visualized

There’s probably caveats, but these might be useful for understanding more of iptables/nft.

packet_flow10726×1445 76.2 KB

netfilter-tables-chains647×1100 190 KB

iptables migration to nft

See: iptables-translate --help.
For instance:
sudo iptables-translate --table nat --line-numbers -vnL
produces:
nft list table ip nat

That’s really cool, and I was looking for something like this earlier today! (but for nftables)