gressgraph

Visualize your firewall.

Download (source, 168KB)
Documentation (PDF, 9 pages)
Screenshot (PNG, 1000x964)

gressgraph produces a graph of your iptables ruleset using Graphviz. You can use the graph to:

Look for vulnerabilities or redundancies.
Get a "feel" for a network.
Showcase your firewall.

Try It Out

Enter the output of iptables -L -vx here.

Chain INPUT (policy DROP 1226127 packets, 148780906 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
   57225  8133562 DROP       all  --  any    any     anywhere             anywhere            state INVALID 
   64147 24178835 DROP       all  --  eth0   any     10.0.0.0/8           anywhere            
      13    12264 DROP       all  --  eth0   any     172.16.0.0/255.250.0.0  anywhere            
    6191   910525 DROP       all  --  eth0   any     192.168.0.0/16       anywhere            
347547935 354119630571 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
   44925 19199122 ACCEPT     udp  --  ath0   any     anywhere             anywhere            udp dpt:bootps 
   70995  4434700 ACCEPT     all  --  lo     any     anywhere             anywhere            
  136396  8110576 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh state NEW 
      28     1692 ACCEPT     tcp  --  ath0   any     anywhere             anywhere            state NEW tcp dpt:microsoft-ds 
      79     5020 ACCEPT     tcp  --  ath0   any     anywhere             anywhere            state NEW tcp dpt:netbios-ssn 
       1       60 ACCEPT     tcp  --  ath0   any     anywhere             anywhere            state NEW tcp dpt:domain 
  250743 16275259 ACCEPT     udp  --  ath0   any     anywhere             anywhere            state NEW udp dpt:domain 
    4253   323228 ACCEPT     udp  --  ath0   any     anywhere             anywhere            udp dpt:ntp 
  144691  7305519 ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpts:10001:10010 state NEW 
      75     4784 ACCEPT     tcp  --  ath0   any     neo                  anywhere            tcp dpt:ipp state NEW 
       0        0 ACCEPT     udp  --  eth0   any     anywhere             anywhere            udp dpt:ntp 
      73    41304 ACCEPT     udp  --  eth1   any     anywhere             anywhere            udp dpt:bootps 
      14      939 ACCEPT     udp  --  eth1   any     anywhere             anywhere            udp dpt:domain 
       0        0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere            tcp dpt:domain 
       0        0 ACCEPT     udp  --  eth1   any     anywhere             anywhere            udp dpt:ntp 
       0        0 ACCEPT     tcp  --  ath0   any     malglata             anywhere            state NEW

Chain FORWARD (policy DROP 209896 packets, 11331181 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
191412264 130555797638 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
 2457788 184396099 ACCEPT     all  --  ath0   eth0    anywhere             anywhere            
       8      576 ACCEPT     all  --  ath0   ath0    necesiga             anywhere            
      14     1088 ACCEPT     all  --  ath0   ath0    neo                  anywhere            
     117     5616 ACCEPT     all  --  ath0   ath0    malglata             anywhere            
    5786   472056 ACCEPT     all  --  eth1   eth0    anywhere             anywhere

Chain OUTPUT (policy DROP 3466 packets, 161804 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
274047964 141843115914 ACCEPT     all  --  any    any     anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
       0        0 ACCEPT     all  --  any    lo      anywhere             anywhere

Format:

About

I've deliberately kept the program simple. It has no commandline options. To change the look of the output just modify the source (don't worry, it's currently only 205 lines of literate Haskell).

I've also only tested it on my own simple network. I'd appreciate hearing about how it works for you. Feel free to include your iptables output.

Latest Source

You can checkout a copy of the latest code with:

darcs get http://jekor.com/gressgraph/