Graphing number of references to iptables chain
list Allan Spencer
Hi all, Just wondering if anyone has done or has seen a way of being able to graph the number of references to an iptables chain ? We have a script on our mailserver that scans the logs for IP's in DNSBL's or that issue pregreeting commands and then adds them to the firewall and drops the packets. We end up with a 'flt-smtp' chain that lists all the IP addys it found, if they match it then calls another chain 'spammer' which logs the attempt and drops/rejects the packet. This ends up with a few hundred to a few thousand ip's blocked every month with the # being the number of references to the spammer chain. 'iptables -L spammer' returns currently for example # iptables -L spammer Chain spammer (2269 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `Spammer: ' DROP all -- anywhere anywhere Unfortunately I have zero skills when it comes to rrd and the like so I'm looking for something similar I can change to suit or for someone to be really generous and help me out. The script I'm using is over at http://www.impsec.org/~jhardin/antispam/spammer-firewall Cheers Allan
list Henrik Størner
▸
On Wed, Sep 05, 2007 at 03:37:09PM +1000, Allan wrote:
Just wondering if anyone has done or has seen a way of being able to graph the number of references to an iptables chain ? 'iptables -L spammer' returns currently for example # iptables -L spammer Chain spammer (2269 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `Spammer: ' DROP all -- anywhere anywhere Unfortunately I have zero skills when it comes to rrd and the like so I'm looking for something similar I can change to suit or for someone to be really generous and help me out.
Run a Hobbit client-side script that does:
#!/bin/sh
REFCOUNT=`iptables -L spammer | grep "^Chain spammer" | awk '{print $3}'|cut -c2-`
$BB $BBDISP "status $MACHINE.spammers green `date`
references: $REFCOUNT
"
exit 0
This generates a "spammers" status with the number from the "references" line in the iptables output. On the Hobbit server you then feed this through the "ncv" module - see the description in the "Custom graphs"
help page on your Hobbit server or here:
http://www.hswn.dk/hobbit/help/howtograph.html
Regards,
Henrik
list Iain Conochie
▸
Henrik Stoerner wrote:
On Wed, Sep 05, 2007 at 03:37:09PM +1000, Allan wrote:Just wondering if anyone has done or has seen a way of being able to graph the number of references to an iptables chain ? 'iptables -L spammer' returns currently for example # iptables -L spammer Chain spammer (2269 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `Spammer: ' DROP all -- anywhere anywhere Unfortunately I have zero skills when it comes to rrd and the like so I'm looking for something similar I can change to suit or for someone to be really generous and help me out.
If anyone wants it I have a (fairly) generic script that will graph the number of bytes an IP tables firewall is processing, with input output and forward in different colours :) Cheers Iain
▸
Run a Hobbit client-side script that does:
#!/bin/sh
REFCOUNT=`iptables -L spammer | grep "^Chain spammer" | awk '{print $3}'|cut -c2-`
$BB $BBDISP "status $MACHINE.spammers green `date`
references: $REFCOUNT
"
exit 0
This generates a "spammers" status with the number from the "references" line in the iptables output. On the Hobbit server you then feed this through the "ncv" module - see the description in the "Custom graphs"
help page on your Hobbit server or here:
http://www.hswn.dk/hobbit/help/howtograph.html
Regards,
Henrik
list Sabeer MZ
yes, please share it.
▸
On 9/5/07, Iain Conochie <user-c784e16a5170@xymon.invalid> wrote:Henrik Stoerner wrote:On Wed, Sep 05, 2007 at 03:37:09PM +1000, Allan wrote:Just wondering if anyone has done or has seen a way of being able to graph the number of references to an iptables chain ? 'iptables -L spammer' returns currently for example # iptables -L spammer Chain spammer (2269 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `Spammer: ' DROP all -- anywhere anywhere Unfortunately I have zero skills when it comes to rrd and the like so I'm looking for something similar I can change to suit or for someone to be really generous and help me out.If anyone wants it I have a (fairly) generic script that will graph the number of bytes an IP tables firewall is processing, with input output and forward in different colours :) Cheers IainRun a Hobbit client-side script that does: #!/bin/sh REFCOUNT=`iptables -L spammer | grep "^Chain spammer" | awk '{print$3}'|cut -c2-`$BB $BBDISP "status $MACHINE.spammers green `date` references: $REFCOUNT " exit 0 This generates a "spammers" status with the number from the "references" line in the iptables output. On the Hobbit server you then feed this through the "ncv" module - see the description in the "Custom graphs" help page on your Hobbit server or here: http://www.hswn.dk/hobbit/help/howtograph.html Regards, Henrik
--
Thanks
Sabeer MZ
list Iain Conochie
<snip>
Here you go. This must bu run as root so either Set UID root (bad!) or
use sudo
#!/bin/sh
SUDO=/usr/bin/sudo
IPTABLES=/usr/sbin/iptables
CHAINS="INPUT OUTPUT FORWARD"
#BBTMP=/tmp
TOUCH=/bin/touch
$TOUCH $BBTMP/packets.$$
$TOUCH $BBTMP/bytes.$$
for i in $CHAINS
do sudo $IPTABLES -L -n -v -x| grep ^"Chain $i"| awk {'print $2 " "
$6 " : " $5'}| sed s/packets,/packets/g >> $BBTMP/packets.$$
done
for i in $CHAINS
do sudo $IPTABLES -L -n -v -x| grep ^"Chain $i"| awk {'print $2 " "
$8 " : " $7'}| sed s/bytes\)/bytes/g >> $BBTMP/bytes.$$
done
echo " " >> $BBTMP/packets.$$
echo " " >> $BBTMP/bytes.$$
$BB $BBDISP "status $MACHINE.iptables green `date` IPtables output
`cat $BBTMP/packets.$$; echo; cat $BBTMP/bytes.$$`"
rm $BBTMP/packets.$$
rm $BBTMP/bytes.$$
And here is the entry for hobbitgraph.cfg
[iptables]
TITLE IP-Tables
YAXIS Bytes
DEF:Input=iptables.rrd:INPUTbytes:AVERAGE
DEF:Output=iptables.rrd:OUTPUTbytes:AVERAGE
DEF:Forward=iptables.rrd:FORWARDbytes:AVERAGE
LINE2:Input#0000FF:Input Bytes
LINE2:Output#00FF00:Output Bytes
LINE2:Forward#FF0000:Forward Bytes
COMMENT:\n
GPRINT:Input:LAST:Input \: %5.1lf%s (cur)
GPRINT:Input:MAX: \: %5.1lf%s (max)
GPRINT:Input:MIN: \: %5.1lf%s (min)
GPRINT:Input:AVERAGE: \: %5.1lf%s (avg)\n
GPRINT:Output:LAST:Output \: %5.1lf%s (cur)
GPRINT:Output:MAX: \: %5.1lf%s (max)
GPRINT:Output:MIN: \: %5.1lf%s (min)
GPRINT:Output:AVERAGE: \: %5.1lf%s (avg)\n
GPRINT:Forward:LAST:Forward \: %5.1lf%s (cur)
GPRINT:Forward:MAX: \: %5.1lf%s (max)
GPRINT:Forward:MIN: \: %5.1lf%s (min)
GPRINT:Forward:AVERAGE: \: %5.1lf%s (avg)\n
Cheers
Iain
list Andreas Kunberger
Am Mittwoch, 5. September 2007 11:30 schrieb Iain Conochie:
▸
<snip>
Here you go. This must bu run as root so either Set UID root (bad!) or
use sudo
for i in $CHAINS
do sudo $IPTABLES -L -n -v -x| grep ^"Chain $i"| awk {'print $2 " "
$6 " : " $5'}| sed s/packets,/packets/g >> $BBTMP/packets.$$
done
Seems to me, its graphs only the packets the default policy of the chain is applied to, i.e those who have not matche any ruly in the chain mfg Andreas Kunberger -- DITF Denkendorf
list Iain Conochie
▸
Andreas Kunberger wrote:
Am Mittwoch, 5. September 2007 11:30 schrieb Iain Conochie:<snip> Here you go. This must bu run as root so either Set UID root (bad!) or use sudo for i in $CHAINS do sudo $IPTABLES -L -n -v -x| grep ^"Chain $i"| awk {'print $2 " " $6 " : " $5'}| sed s/packets,/packets/g >> $BBTMP/packets.$$ doneSeems to me, its graphs only the packets the default policy of the chain is applied to, i.e those who have not matche any ruly in the chain mfg Andreas Kunberger
True. Personally I use a default "reject" rule hence this will graph what the firewall rejects. Obviously this will not really take into account what is allowed so maybe I was not too clear in my first statement. Iain