Graphing number of references to iptables chain
Hi all,
Just wondering if anyone has done or has seen a way of being able to graph the number of references to an iptables chain ?
We have a script on our mailserver that scans the logs for IP's in DNSBL's or that issue pregreeting commands and then adds them to the firewall and drops the packets. We end up with a 'flt-smtp' chain that lists all the IP addys it found, if they match it then calls another chain 'spammer' which logs the attempt and drops/rejects the packet.
This ends up with a few hundred to a few thousand ip's blocked every month with the # being the number of references to the spammer chain. 'iptables -L spammer' returns currently for example
iptables -L spammer
Chain spammer (2269 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `Spammer: ' DROP all -- anywhere anywhere
Unfortunately I have zero skills when it comes to rrd and the like so I'm looking for something similar I can change to suit or for someone to be really generous and help me out.
The script I'm using is over at http://www.impsec.org/~jhardin/antispam/spammer-firewall
Cheers
Allan
On Wed, Sep 05, 2007 at 03:37:09PM +1000, Allan wrote:
Just wondering if anyone has done or has seen a way of being able to graph the number of references to an iptables chain ? 'iptables -L spammer' returns currently for example
iptables -L spammer
Chain spammer (2269 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `Spammer: ' DROP all -- anywhere anywhere
Unfortunately I have zero skills when it comes to rrd and the like so I'm looking for something similar I can change to suit or for someone to be really generous and help me out.
Run a Hobbit client-side script that does:
#!/bin/sh
REFCOUNT=iptables -L spammer | grep "^Chain spammer" | awk '{print $3}'|cut -c2-
$BB $BBDISP "status $MACHINE.spammers green date
references: $REFCOUNT "
exit 0
This generates a "spammers" status with the number from the "references" line in the iptables output. On the Hobbit server you then feed this through the "ncv" module - see the description in the "Custom graphs" help page on your Hobbit server or here: http://www.hswn.dk/hobbit/help/howtograph.html
Regards, Henrik
Henrik Stoerner wrote:
On Wed, Sep 05, 2007 at 03:37:09PM +1000, Allan wrote:
Just wondering if anyone has done or has seen a way of being able to graph the number of references to an iptables chain ? 'iptables -L spammer' returns currently for example
iptables -L spammer
Chain spammer (2269 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `Spammer: ' DROP all -- anywhere anywhere
Unfortunately I have zero skills when it comes to rrd and the like so I'm looking for something similar I can change to suit or for someone to be really generous and help me out.
If anyone wants it I have a (fairly) generic script that will graph the number of bytes an IP tables firewall is processing, with input output and forward in different colours :)
Cheers
Iain
Run a Hobbit client-side script that does:
#!/bin/sh REFCOUNT=
iptables -L spammer | grep "^Chain spammer" | awk '{print $3}'|cut -c2-$BB $BBDISP "status $MACHINE.spammers green
datereferences: $REFCOUNT "
exit 0
This generates a "spammers" status with the number from the "references" line in the iptables output. On the Hobbit server you then feed this through the "ncv" module - see the description in the "Custom graphs" help page on your Hobbit server or here: http://www.hswn.dk/hobbit/help/howtograph.html
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
yes, please share it.
On 9/5/07, Iain Conochie <iain at shihad.org> wrote:
Henrik Stoerner wrote:
On Wed, Sep 05, 2007 at 03:37:09PM +1000, Allan wrote:
Just wondering if anyone has done or has seen a way of being able to graph the number of references to an iptables chain ? 'iptables -L spammer' returns currently for example
iptables -L spammer
Chain spammer (2269 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `Spammer: ' DROP all -- anywhere anywhere
Unfortunately I have zero skills when it comes to rrd and the like so I'm looking for something similar I can change to suit or for someone to be really generous and help me out.
If anyone wants it I have a (fairly) generic script that will graph the number of bytes an IP tables firewall is processing, with input output and forward in different colours :)
Cheers
Iain
Run a Hobbit client-side script that does:
#!/bin/sh REFCOUNT=`iptables -L spammer | grep "^Chain spammer" | awk '{print
$3}'|cut -c2-`
$BB $BBDISP "status $MACHINE.spammers green
datereferences: $REFCOUNT "
exit 0
This generates a "spammers" status with the number from the "references" line in the iptables output. On the Hobbit server you then feed this through the "ncv" module - see the description in the "Custom graphs" help page on your Hobbit server or here: http://www.hswn.dk/hobbit/help/howtograph.html
Regards, Henrik
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Thanks Sabeer MZ
<snip>
Here you go. This must bu run as root so either Set UID root (bad!) or use sudo
#!/bin/sh
SUDO=/usr/bin/sudo IPTABLES=/usr/sbin/iptables CHAINS="INPUT OUTPUT FORWARD" #BBTMP=/tmp TOUCH=/bin/touch
$TOUCH $BBTMP/packets.$$ $TOUCH $BBTMP/bytes.$$
for i in $CHAINS do sudo $IPTABLES -L -n -v -x| grep ^"Chain $i"| awk {'print $2 " " $6 " : " $5'}| sed s/packets,/packets/g >> $BBTMP/packets.$$ done
for i in $CHAINS do sudo $IPTABLES -L -n -v -x| grep ^"Chain $i"| awk {'print $2 " " $8 " : " $7'}| sed s/bytes\)/bytes/g >> $BBTMP/bytes.$$ done
echo " " >> $BBTMP/packets.$$ echo " " >> $BBTMP/bytes.$$
$BB $BBDISP "status $MACHINE.iptables green date IPtables output
cat $BBTMP/packets.$$; echo; cat $BBTMP/bytes.$$"
rm $BBTMP/packets.$$ rm $BBTMP/bytes.$$
And here is the entry for hobbitgraph.cfg
[iptables] TITLE IP-Tables YAXIS Bytes DEF:Input=iptables.rrd:INPUTbytes:AVERAGE DEF:Output=iptables.rrd:OUTPUTbytes:AVERAGE DEF:Forward=iptables.rrd:FORWARDbytes:AVERAGE LINE2:Input#0000FF:Input Bytes LINE2:Output#00FF00:Output Bytes LINE2:Forward#FF0000:Forward Bytes COMMENT:\n GPRINT:Input:LAST:Input \: %5.1lf%s (cur) GPRINT:Input:MAX: \: %5.1lf%s (max) GPRINT:Input:MIN: \: %5.1lf%s (min) GPRINT:Input:AVERAGE: \: %5.1lf%s (avg)\n GPRINT:Output:LAST:Output \: %5.1lf%s (cur) GPRINT:Output:MAX: \: %5.1lf%s (max) GPRINT:Output:MIN: \: %5.1lf%s (min) GPRINT:Output:AVERAGE: \: %5.1lf%s (avg)\n GPRINT:Forward:LAST:Forward \: %5.1lf%s (cur) GPRINT:Forward:MAX: \: %5.1lf%s (max) GPRINT:Forward:MIN: \: %5.1lf%s (min) GPRINT:Forward:AVERAGE: \: %5.1lf%s (avg)\n
Cheers
Iain
Am Mittwoch, 5. September 2007 11:30 schrieb Iain Conochie:
<snip>
Here you go. This must bu run as root so either Set UID root (bad!) or use sudo
for i in $CHAINS do sudo $IPTABLES -L -n -v -x| grep ^"Chain $i"| awk {'print $2 " " $6 " : " $5'}| sed s/packets,/packets/g >> $BBTMP/packets.$$ done
Seems to me, its graphs only the packets the default policy of the chain is applied to, i.e those who have not matche any ruly in the chain
mfg Andreas Kunberger
-- DITF Denkendorf
Andreas Kunberger wrote:
Am Mittwoch, 5. September 2007 11:30 schrieb Iain Conochie:
<snip>
Here you go. This must bu run as root so either Set UID root (bad!) or use sudo
for i in $CHAINS do sudo $IPTABLES -L -n -v -x| grep ^"Chain $i"| awk {'print $2 " " $6 " : " $5'}| sed s/packets,/packets/g >> $BBTMP/packets.$$ done
Seems to me, its graphs only the packets the default policy of the chain is applied to, i.e those who have not matche any ruly in the chain
mfg Andreas Kunberger
True. Personally I use a default "reject" rule hence this will graph what the firewall rejects. Obviously this will not really take into account what is allowed so maybe I was not too clear in my first statement.
Iain
participants (5)
-
allan@zandahar.net
-
andreas.kunberger@ditf-denkendorf.de
-
henrik@hswn.dk
-
iain@shihad.org
-
sabeer.mz@gmail.com