将 iptables 的规则转成 nginx acl 规则

ipt2acl.sh

#!/bin/bash
# 请取标准输入，将 iptables 的规则转成 nginx acl 规则
# 使用：
# iptables-save | ./ipt2acl.sh > acl.conf
# 
# 目前只处理两种形式的 ACCEPT 规则
# 1. INPUT -s [./0-9]+ -j ACCEPT
# 2. INPUT -m iprange --src-range [.0-9]+-[.0-9]+ -j ACCEPT
# 

grep -- '-j ACCEPT' | while read LINE;do
	if echo $LINE | grep -E "INPUT -s [./0-9]+ -j ACCEPT" >/dev/null; then
		#echo ">>> Process: $LINE" >&2
		ADDR=$(echo $LINE | grep -oE '[./0-9]+')
		echo "allow $ADDR;"

	elif echo $LINE | grep -E "INPUT -m iprange --src-range [.0-9]+-[.0-9]+ -j ACCEPT" >/dev/null;then
		#echo ">>> Process: $LINE" >&2
		RANGE=$(echo "$LINE" | grep -oE '[.0-9]+-[.0-9]+')
		START_IP=${RANGE%-*}
		START_NUM=${START_IP##*.}
		END_IP=${RANGE#*-}
		END_NUM=${END_IP##*.}
		PREFIX_IP=${START_IP%.*}

		test "$PREFIX_IP" != "${END_IP%.*}" && {
			echo "*** Unsupported ip range: $RANGE" >&2
			exit 10
		}

		if [[ $START_NUM == 1 && $END_NUM == 254 ]];then
			echo "allow ${PREFIX_IP}.0/24;  # $RANGE"	
		elif [[ $START_NUM == 1 && $END_NUM == 126 ]];then
			echo "allow ${PREFIX_IP}.0/25;  # $RANGE"	
		else
			for IP_NUM in $(seq $START_NUM $END_NUM);do
				echo "allow ${PREFIX_IP}.${IP_NUM};  # $RANGE"
			done
		fi
	else
		echo "*** Skip: $LINE" >&2
	fi
done