Scott Forsyth – MVP asked:
I would like to remove some NAT POSTROUTING rules in an automated fashion based on the source or destination IP address.
I know the source and destination IP but I don’t necessarily know which policies are already there.
For example, I may have this:
-A POSTROUTING -s 10.10.10.10/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 184.108.40.206 -A POSTROUTING -s 10.10.10.10/32 -p tcp -m tcp --dport 443 -j SNAT --to-source 220.127.116.11 -A POSTROUTING -s 10.10.10.10/32 -j ACCEPT
or I may just have this:
-A POSTROUTING -s 10.10.10.10/32 -j SNAT --to-source 18.104.22.168
I want to unassign that NAT address from the old computer and assign it to a new computer. This is all automated so I can’t manually look for it.
What’s the best way to remove the old polices for just that IP? Could I use a list + grep command? I normally hang out in the Windows world so I’m not sure the best way to handle this here.
You can match a rule for deletion by specifying it precisely and using
--delete) instead of
-A. For instance:
iptables -t nat -D POSTROUTING -s 10.10.10.10/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 22.214.171.124
To script this, matching a specific IP address, and not losing any rules due to race conditions, let’s try something like this. This will delete any rule in the nat table containing a given IP address:
IFS=$'\n' for rule in `iptables-save -t nat | grep -w $IP_ADDRESS | sed -e 's/-A/-D/'`; do echo $rule | xargs iptables -t nat done
Some notes on this: We use
grep -w to ensure that IP addresses match exactly, and e.g. a given address that ends in
25 doesn’t match
250. The transform from
-D is done by
sed in the loop. And we use
xargs to expand each rule into parameters.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.