I’ve written a small parser for iptables rules in Python, and made it output GraphViz data. Byte counters are translated to line width, packet counters to line color. Dashed lines didn’t receive any data so far.

This is the result for my laptop’s tiny firewall setup (generated by Pyroman; the double accept/drop/reject rules are mostly for cosmetic purposes, and counting data and packet totals. However the reject rule also does a ‘cleaner’ reject for TCP connections)

Visualization of a small iptables rule setup

I’ve ran it on a much larger firewall (~100 chains, ~600 rules; a multi-homed firewall at our university), but it becomes to messy with the dotty layout algorithm. The firewall chains generated by pyroman are pretty flat; it generates one chain per client-server combination, the INPUT etc. chains are filled with source/destination filters, the services are filtered in the second level then. Also most of the traffic is handled by connection tracking, so it boils down to having one big accept line, with little going on beyond that.

So the visualization turned out to be only of partial interest (at least for Pyroman-generated firewalls. It could be useful if someone actually nests chains more levels deep).

Still there is some interesting stuff I might be going to try with the iptables-save parser I’ve written:

  • pyroman could reload the firewall, keeping traffic counters where possible
  • based on traffic counters for hosts and services, it could reorder entries in the firewall to optimize the firewall slightly (in the pyroman model, hosts and services can be reordered to a certain extend; I’m aware that this is not true for generic iptables rules. It might however be still helpful for some users to get suggestions on how to order their rules. It’s also unlikely this will have a large performance impact in general, unless you have one really heavily used service and didn’t place it first on your own…)

[P.S. Anyone aware of a GTK/Gnome application or library for visualizing graphs?]

[P.P.S. Bernd Zeimetz has been running it on some really complex firewalls. I guess it really could benefit from a layouting algorithm optimized for this kind of graphs, dotty can become kind of messy. :-) Maybe I’ll make an interactive version, where you can see for each chain the incoming and outgoing flows or so, but not try to make such a huge graph.]