#!/usr/bin/perl # watch_iptables.pl - simply parses the iptables syslog and makes it readable # Copyright (C) 2005 Travis Morgan, travis@bigfiber.net # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. use File::Tail; $services="/etc/services"; $logfile="/var/log/iptables.log"; $alt=""; $nhl=""; $num = 0; sub findvar { $target = $_[0]; $found = ""; @tmpdata = @data; while (( $found !~ /$tmpdata[0]/ )&&( defined(@tmpdata))) { if ( $tmpdata[0] =~ s/^$target//) { $found = $tmpdata[0]; } else { shift @tmpdata; } } return $found; } sub readservices { open(SVCS, "<", $services); while ($service = ) { if (! (($service =~ /^#/)||($service =~ /^$/))) { @temp = split /[\s\/]+/, $service; if ($temp[2] =~ /tcp/) { $tcp[$temp[1]]=$temp[0]; } elsif ($temp[2] =~ /udp/) { $udp[$temp[1]]=$temp[0]; } } } close(SVCS); } sub findsvc { $port = $_[0]; if ($proto =~ /TCP/) { if (defined($tcp[$port])) { return $tcp[$port]; } else { return $port; } } if ($proto =~ /UDP/) { if (defined($udp[$port])) { return $udp[$port]; } else { return $port; } } } &readservices; printf (" %-10s %2s %23s %20s %19s %15s %20s %15s %s\n", "Date","If","Source Mac","Dest Mac","Source","Port","Destination","Port","Protocol"); $file=File::Tail->new(name=>$logfile, interval=>0, maxinterval=>2, tail=>5); while (defined($line=$file->read)) { if ( $line =~ /(f_INPUT|f_FORWARD) DROP/ ) { @data = split /\s+/, $line; $date = "$data[0] $data[1] $data[2]"; $iface = &findvar("IN="); $iface =~ s/eth0/extern/; $iface =~ s/eth1/dmz/; $iface =~ s/eth2/intern/; @macs = split /:/, &findvar("MAC="); $smac = "$macs[0]:$macs[1]:$macs[2]:$macs[3]:$macs[4]:$macs[5]"; $dmac = "$macs[6]:$macs[7]:$macs[8]:$macs[9]:$macs[10]:$macs[11]"; $src = &findvar("SRC="); $dst = &findvar("DST="); $proto = &findvar("PROTO="); $spt = &findvar("SPT="); $spt = &findsvc($spt); $dpt = &findvar("DPT="); $dpt = &findsvc($dpt); if ($num == 1) { print "$alt"; $num = 0; } else { print "$nhl"; $num = 1; } printf ("%15s %6s %20s %20s %19s %15s %20s %15s %8s\n", $date, $iface, $smac, $dmac, $src, $spt, $dst, $dpt, $proto); } }