##########################################################################
# $Id: iptables,v 1.7 2007/02/16 03:27:05 bjorn Exp $
##########################################################################
# $Log: iptables,v $
# Revision 1.7 2007/02/16 03:27:05 bjorn
# Remove explicit invocation of perl executable, by Ivana Varekova.
#
# Revision 1.6 2007/01/29 18:40:29 bjorn
# Handle timestamp generated in Ubuntu, suggested by MrC.
#
# Revision 1.5 2006/08/23 22:47:29 bjorn
# Corrected icmp type reporting, by Allen Kistler.
#
# Revision 1.4 2006/07/11 15:59:56 bjorn
# Allow sorting by either source or target, by Michel Messerschmidt.
#
# Revision 1.3 2006/01/16 18:40:31 kirk
# fixed name to Logwatch (how I like it now)
#
# Revision 1.2 2005/12/06 02:35:43 bjorn
# Report icmp type properly, by Allen Kistler.
#
# Revision 1.1 2005/07/25 22:17:31 bjorn
# Moved iptables (and ipchains, ipfwadm) code to its own service (iptables).
#
##########################################################################
# iptables, ipchains, and ipfwadm script for Logwatch.
# Ipfwadm and ipchains are deprecated, but is included
# here for backwards compatibility.
#
# This script was extracted from the kernel script,
# which processed netfilter (iptables, ipchains, and
# ipfwadm) statements until kernel script Revision 1.29.
#
# Visit the Logwatch website at
# http://www.logwatch.org
##########################################################################
use Logwatch ':ip';
$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
$MinFilter = $ENV{'iptables_host_min_count'} || 0;
$DoLookup = $ENV{'iptables_ip_lookup'}; $DoLookup = $DoLookup; # keep -w happy
$ListByHost = $ENV{'iptables_list_by_host'} || 0;
$ListByService = $ENV{'iptables_list_by_service'} || 0;
# Keep old behaviour if nothing is configured
$ListByHost = 1 unless ($ListByService);
$MaxFlood = 10;
$MaxNum =0;
sub lookupService {
my ($port, $proto, $service);
($port, $proto) = ($_[0], $_[1]);
if ($service = getservbyport ($port, $proto)) {
return($service);
} else {
return($port);
}
}
sub lookupProtocol {
my ($proto, $name);
$proto = $_[0];
if ($name = getprotobynumber ($proto)) {
return($name);
} else {
return($proto);
}
}
sub lookupAction {
my ($chain, $actionType);
$chain = $_[0];
# choose an action type
if ( $chain =~ /reject/i ) {
$actionType = "Rejected";
} elsif ( $chain =~ /drop/i ) {
$actionType = "Dropped";
} elsif ( $chain =~ /deny/i ) {
$actionType = "Denied";
} elsif ( $chain =~ /denied/i ) {
$actionType = "Denied";
} elsif ( $chain =~ /accept/i ) {
$actionType = "Accepted";
} else {
$actionType = "Logged";
}
return $actionType;
}
# SORT COMPARISONS
sub compStr {
return $a cmp $b;
}
sub compNum {
return $a <=> $b;
}
while (defined($ThisLine = <STDIN>)) {
chomp($ThisLine);
next if ($ThisLine eq '');
# the format for ulogd/ulogd.syslogmenu and messages differ in that
# the earlier has no service name after the date. So RemoveHeaders
# doesn't work. Therefore, we extract it here:
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[\d+\.\d+\] )?//;
# IPCHAINS
if( ($TU,$from,$port,$on) = ( $ThisLine =~ /IP fw-in deny \w+ (\w+) ([^:]+):\d+ ([^:]+):(\d+) / ) ){
if($MaxNum < ++$TCPscan{$TU}{$from}) {
$MaxNum = $TCPscan{$TU}{$from}
}
$port=0;
} elsif ( ($chain,$action,$if,$proto,$fromip,$toip,$toport) = ( $ThisLine =~ /^Packet log: ([^ ]+) (\w+) (\w+) PROTO=(\d+) ([\d|\.]+):\d+ ([\d|\.]+):(\d+)/ ) ) {
$actionType = lookupAction($action);
$ipt{$actionType}{$if}{$fromip}{$toip}{$toport}{$proto}{"$chain,$if"}++;
$ipt2{$actionType}{$if}{$toport}{$proto}{$fromip}{$toip}{"$chain,$if"}++;
}
# IPTABLES
elsif (($chain,$ifin,$ifout,$fromip,$toip,$proto,$rest) = ($ThisLine =~ /^(.*?)\s*IN=(\w*).*?OUT=(\w*).*?SRC=([\w\.:]+).*?DST=([\w\.:]+).*?PROTO=(\w+)(.*)/ )) {
# get a destination port number (or icmp type) if there is one
if (! ( ($toport) = ( $rest =~ /TYPE=(\w+)/ ) ) ) {
if (! ( ($toport) = ( $rest =~ /DPT=(\w+)/ ) ) ) {
$toport = 0;
}
}
# get the action type
$actionType = lookupAction($chain);
# determine the dominant interface
if ($ifin =~ /\w+/ && $ifout =~ /\w+/) {
$interface = $ifin;
} elsif ($ifin =~ /\w+/) {
$interface = $ifin;
$ifout = "none";
} else {
$interface = $ifout;
$ifin = "none";
}
if ($chain eq "") {
$chain_info = "";
} else {
$chain_info = "(" . $chain . ") ";
}
# add the packet
# $ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{"$chain,$ifin,$ifout"}++;
$ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{$chain_info}++;
$ipt2{$actionType}{$interface}{$toport}{$proto}{$fromip}{$toip}{$chain_info}++;
}
}
# IPCHAINS
if (keys %TCPscan and $MaxNum>$MaxFlood) {
print "\nWarning: ipfwadm scan detected on:\n";
foreach $ThisOne (sort compStr keys %TCPscan) {
print " " . $ThisOne . " from:\n";
foreach $Next (sort compStr keys %{$TCPscan{$ThisOne}}) {
$TCPscan{$ThisOne}{$Next}>$MaxFlood &&
print " " . LookupIP($Next). ": $TCPscan{$ThisOne}{$Next} Time(s)\n";
}
}
}
if ((keys %ipt2) and $ListByService) {
foreach my $actionType (sort compStr keys %ipt2) {
foreach my $interface (sort compStr keys %{$ipt2{$actionType}}) {
my $outputMain = '';
my $interfaceCount = 0;
foreach my $toport (sort compNum keys %{$ipt2{$actionType}{$interface}}) {
foreach my $proto (sort compStr keys %{$ipt2{$actionType}{$interface}{$toport}}) {
my $outputSection = '';
my $portCount = 0;
my $hostCount = 0;
undef %hostList;
my %host_list = ();
my $protocol;
# determine the protocol
if ( $proto =~ /^\d+$/ ) {
$protocol = lookupProtocol($proto);
} else {
$protocol = lc($proto);
}
# determine the name of the service
my $service = lookupService($toport,$protocol);
foreach my $fromip (sort SortIP keys %{$ipt2{$actionType}{$interface}{$toport}{$proto}}) {
my $fromHostCount = 0;
my $from = LookupIP($fromip);
my $outputDetails = "";
foreach my $toip (sort SortIP keys %{$ipt2{$actionType}{$interface}{$toport}{$proto}{$fromip}}) {
my $toHostCount = 0;
my $to = LookupIP($toip);
foreach my $details (sort keys %{$ipt2{$actionType}{$interface}{$toport}{$proto}{$fromip}{$toip}}) {
my $packetCount = $ipt2{$actionType}{$interface}{$toport}{$proto}{$fromip}{$toip}{$details};
$toHostCount += $packetCount;
if ( $Detail > 9 and ( $outputDetails !~ /\Q$details\E/ ) ) {
$outputDetails .= $details . ", ";
}
}
$fromHostCount += $toHostCount;
}
if ( $Detail > 9 ) {
chop $outputDetails;
chop $outputDetails;
push @{$hostList{"$fromHostCount"}}, $from .
" " . $outputDetails;
} else {
push @{$hostList{"$fromHostCount"}}, $from;
}
$portCount += $fromHostCount;
$hostCount++;
}
$interfaceCount += $portCount;
if ($Detail > 5 ) {
$outputMain .= sprintf(" To port %d/%s (%s) - ".
"%d packet%s from %d host%s\n",
$toport, $protocol,
( $service =~ /^\d+$/ ) ? "?" : $service,
$portCount, ( $portCount > 1 ) ? "s" : " ",
$hostCount, ( $hostCount > 1 ) ? "s" : " "
);
foreach my $hc (sort { $b <=> $a } keys %hostList) {
foreach my $h (@{$hostList{"$hc"}}) {
$outputMain .= sprintf(" %6d packet%s from %s\n",
$hc, ( $hc > 1 ) ? "s" : " ", $h);
}
}
} elsif ($Detail > 3 ) {
my $topHostCount;
($topHostCount, undef) = sort { $b <=> $a } keys %hostList;
my $topHost = ${$hostList{"$topHostCount"}}[0];
$outputMain .= sprintf( " To port %5d/%s - %5d packet%s ".
"from %4d host%s (%d from %s)\n",
$toport, $protocol, $portCount,
( $portCount > 1 ) ? "s" : " ", $hostCount,
( $hostCount > 1 ) ? "s" : " ",
$topHostCount, $topHost
);
} else {
$outputMain .= sprintf(" To port %5d/%s - %5d packet%s ".
"from %4d host%s\n",
$toport, $protocol, $portCount,
( $portCount > 1 ) ? "s" : " ", $hostCount,
( $hostCount > 1 ) ? "s" : " "
);
}
}
}
print "Listed by target ports:";
print "\n$actionType $interfaceCount " .
( ( $interfaceCount > 1 ) ? "packets" : "packet" ) .
" on interface $interface\n";
print $outputMain;
}
}
}
# IPCHAINS / IPTABLES
if ((keys %ipt) and $ListByHost) {
foreach $actionType (sort compStr keys %ipt) {
foreach $interface (sort compStr keys %{$ipt{$actionType}}) {
$outputMain = '';
$interfaceCount = 0;
foreach $fromip (sort SortIP keys %{$ipt{$actionType}{$interface}}) {
$outputSection = '';
$fromHostCount = 0;
$from = LookupIP($fromip);
undef %port_list;
foreach $toip (sort SortIP keys %{$ipt{$actionType}{$interface}{$fromip}}) {
$toHostCount = 0;
$to = LookupIP($toip);
$outputServices = '';
foreach $toport (sort compNum keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}}) {
foreach $proto (sort compStr keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}}) {
# determine the protocol
if ( $proto =~ /^\d+$/ ) {
$protocol = lookupProtocol($proto);
} else {
$protocol = lc($proto);
}
# determine the name of the service
$service = lookupService($toport,$protocol);
foreach $details (sort keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}}) {
$packetCount = $ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{$details};
$toHostCount += $packetCount;
if ( $Detail > 0 ) {
$outputServices .= " Service: $service ($protocol/$toport) $details- $packetCount " . ( ( $packetCount > 1 ) ? "packets\n" : "packet\n" );
} else {
${ $port_list{ $protocol } }{$toport}++;
}
}
}
}
$fromHostCount += $toHostCount;
if ( $Detail > 0 ) { $outputSection .= " To $to - $toHostCount " . ( ( $toHostCount > 1 ) ? "packets\n" : "packet\n" ); }
$outputSection .= $outputServices;
}
$interfaceCount += $fromHostCount;
if ($fromHostCount >= $MinFilter) {
if ($Detail > 0 ) {
$outputMain .= " From $from - $fromHostCount " . ( ( $fromHostCount > 1 ) ? "packets\n" : "packet\n" );
} else {
$outputMain .= " From $from - $fromHostCount " . ( ($fromHostCount > 1) ? "packets" : "packet" ) . " to " ;
foreach $protocol ( keys %port_list ) {
if ( $#{ keys %{$port_list { $protocol } } } > 10 ) {
$outputMain .= $#{ $port_list{ $protocol } } ." $protocol ports";
} else {
$outputMain .= "$protocol(" . join(",", sort compNum keys %{ $port_list{ $protocol } } ) . ") " ;
}
}
$outputMain .="\n";
}
}
$outputMain .= $outputSection;
}
print "\nListed by source hosts:";
print "\n$actionType $interfaceCount " . ( ( $interfaceCount > 1 ) ? "packets" : "packet" ) . " on interface $interface\n";
print $outputMain;
}
}
}
exit(0);
# vi: shiftwidth=3 tabstop=3 syntax=perl et
