yunginnanet/update-iptables-persistent.sh

## update-iptables-persistent.sh
#!/usr/bin/env bash

# example output:

# cleaning duplicate netfilter rules...
# updating netfilter rules...
# updating iptables...
# latest: SHA256 (-) = e32144dcf88d333d2ecfbce61fc2392045c462b3370093b70bd5429c3ae9e922
# current: SHA256 (-) = e32144dcf88d333d2ecfbce61fc2392045c462b3370093b70bd5429c3ae9e922
# backing up old rules...
# renamed '/etc/iptables/rules.v4' -> '/etc/iptables/rules.v4.1705220025'
# installing new rules...
# iptables is now up to date
# updating ip6tables...
# latest: SHA256 (-) = 7f9b202202eebe6ece23323f206a7aa3b3f1cde90df9cd43dfc4b32ef23f0507
# current: SHA256 (-) = 7f9b202202eebe6ece23323f206a7aa3b3f1cde90df9cd43dfc4b32ef23f0507
# backing up old rules...
# renamed '/etc/iptables/rules.v6' -> '/etc/iptables/rules.v6.1705220025'
# installing new rules...
# ip6tables is now up to date


function ipt() {
	local _cmd="iptables"
	local _num="4"
	if [ "$1" == "-6" ]; then
		_cmd="ip6tables"
		_num="6"
	fi

	echo "updating ${_cmd}..."
	_ipt="$(sudo "${_cmd}-save")" || return 1
	_iptSum="$(echo "$_ipt" | sha256sum --tag)" || return 1
	echo "latest: ""${_iptSum}"""
	_curSum="$(sha256sum --tag </etc/iptables/rules.v${_num})" || return 1
	echo "current: ""${_iptSum}"""
	# check if iptables is already up to date
	if [ "$_iptSum" = "$_curSum" ]; then
		echo "${_cmd} is already up to date"
		return 0
	fi
	echo "backing up old rules..."
	sudo mv -vn "/etc/iptables/rules.v${_num}" "/etc/iptables/rules.v${_num}.$(date +%s)" || return 1
	echo "installing new rules..."
	echo "$_ipt" | sudo tee "/etc/iptables/rules.v${_num}" >/dev/null || return 1

	_curSum="$(sha256sum --tag </etc/iptables/rules.v${_num})"
	if [ "$_iptSum" == "$_curSum" ]; then
		echo "${_cmd} is now up to date"
		return 0
	else
		echo "something went wrong (race?)"
		return 1
	fi
}

dedup() {
	ipt="iptables -w"
	iptables-save | sed -n "/$1/,/COMMIT/p" | grep "^-" | sort | uniq -dc | while read l; do
		c=$(echo "$l" | sed "s|^[ ]*\([0-9]*\).*$|\1|")
		rule=$(echo "$l" | sed "s|^[ ]*[0-9]* -A\(.*\)$|-t $1 -D\1|")
		while [ ${c} -gt 1 ]; do
			echo "iptables $rule"
			eval "${ipt} ${rule}"
			c=$((c - 1))
		done
	done
}

dedup6() {
	ip6t="ip6tables -w"
	ip6tables-save | sed -n "/$1/,/COMMIT/p" | grep "^-" | sort | uniq -dc | while read l; do
		c=$(echo "$l" | sed "s|^[ ]*\([0-9]*\).*$|\1|")
		rule=$(echo "$l" | sed "s|^[ ]*[0-9]* -A\(.*\)$|-t $1 -D\1|")
		while [ ${c} -gt 1 ]; do
			echo "ip6tables $rule"
			eval "${ip6t} ${rule}"
			c=$((c - 1))
		done
	done
}

function update-netfilter-rules() {
	echo "cleaning duplicate netfilter rules..."
  # sourcing the current file's location because I have this in `~/.oh-my-bash/aliases/kayos.aliases.sh` vs a standalone script
  # meaning sourcing whatever file these funcs are in assures the above functions are in my local scope upon exec.
	_cmd="source ${BASH_SOURCE[0]} && \
	dedup filter && \
	dedup nat && \
	dedup mangle && \
	dedup raw && \
	dedup6 filter && \
	dedup6 nat && \
	dedup6 mangle && \
	dedup6 raw"
	sudo bash -c "${_cmd}"
	echo "updating netfilter rules..."
	ipt || return 1
	ipt -6 || return 1
}
	#!/usr/bin/env bash

	# example output:

	# cleaning duplicate netfilter rules...
	# updating netfilter rules...
	# updating iptables...
	# latest: SHA256 (-) = e32144dcf88d333d2ecfbce61fc2392045c462b3370093b70bd5429c3ae9e922
	# current: SHA256 (-) = e32144dcf88d333d2ecfbce61fc2392045c462b3370093b70bd5429c3ae9e922
	# backing up old rules...
	# renamed '/etc/iptables/rules.v4' -> '/etc/iptables/rules.v4.1705220025'
	# installing new rules...
	# iptables is now up to date
	# updating ip6tables...
	# latest: SHA256 (-) = 7f9b202202eebe6ece23323f206a7aa3b3f1cde90df9cd43dfc4b32ef23f0507
	# current: SHA256 (-) = 7f9b202202eebe6ece23323f206a7aa3b3f1cde90df9cd43dfc4b32ef23f0507
	# backing up old rules...
	# renamed '/etc/iptables/rules.v6' -> '/etc/iptables/rules.v6.1705220025'
	# installing new rules...
	# ip6tables is now up to date


	function ipt() {
	local _cmd="iptables"
	local _num="4"
	if [ "$1" == "-6" ]; then
	_cmd="ip6tables"
	_num="6"
	fi

	echo "updating ${_cmd}..."
	_ipt="$(sudo "${_cmd}-save")" \|\| return 1
	_iptSum="$(echo "$_ipt" \| sha256sum --tag)" \|\| return 1
	echo "latest: ""${_iptSum}"""
	_curSum="$(sha256sum --tag </etc/iptables/rules.v${_num})" \|\| return 1
	echo "current: ""${_iptSum}"""
	# check if iptables is already up to date
	if [ "$_iptSum" = "$_curSum" ]; then
	echo "${_cmd} is already up to date"
	return 0
	fi
	echo "backing up old rules..."
	sudo mv -vn "/etc/iptables/rules.v${_num}" "/etc/iptables/rules.v${_num}.$(date +%s)" \|\| return 1
	echo "installing new rules..."
	echo "$_ipt" \| sudo tee "/etc/iptables/rules.v${_num}" >/dev/null \|\| return 1

	_curSum="$(sha256sum --tag </etc/iptables/rules.v${_num})"
	if [ "$_iptSum" == "$_curSum" ]; then
	echo "${_cmd} is now up to date"
	return 0
	else
	echo "something went wrong (race?)"
	return 1
	fi
	}

	dedup() {
	ipt="iptables -w"
	iptables-save \| sed -n "/$1/,/COMMIT/p" \| grep "^-" \| sort \| uniq -dc \| while read l; do
	c=$(echo "$l" \| sed "s\|^[ ]\([0-9]\).*$\|\1\|")
	rule=$(echo "$l" \| sed "s\|^[ ][0-9] -A\(.*\)$\|-t $1 -D\1\|")
	while [ ${c} -gt 1 ]; do
	echo "iptables $rule"
	eval "${ipt} ${rule}"
	c=$((c - 1))
	done
	done
	}

	dedup6() {
	ip6t="ip6tables -w"
	ip6tables-save \| sed -n "/$1/,/COMMIT/p" \| grep "^-" \| sort \| uniq -dc \| while read l; do
	c=$(echo "$l" \| sed "s\|^[ ]\([0-9]\).*$\|\1\|")
	rule=$(echo "$l" \| sed "s\|^[ ][0-9] -A\(.*\)$\|-t $1 -D\1\|")
	while [ ${c} -gt 1 ]; do
	echo "ip6tables $rule"
	eval "${ip6t} ${rule}"
	c=$((c - 1))
	done
	done
	}

	function update-netfilter-rules() {
	echo "cleaning duplicate netfilter rules..."
	# sourcing the current file's location because I have this in `~/.oh-my-bash/aliases/kayos.aliases.sh` vs a standalone script
	# meaning sourcing whatever file these funcs are in assures the above functions are in my local scope upon exec.
	_cmd="source ${BASH_SOURCE[0]} && \
	dedup filter && \
	dedup nat && \
	dedup mangle && \
	dedup raw && \
	dedup6 filter && \
	dedup6 nat && \
	dedup6 mangle && \
	dedup6 raw"
	sudo bash -c "${_cmd}"
	echo "updating netfilter rules..."
	ipt \|\| return 1
	ipt -6 \|\| return 1
	}