Gheek.net

March 30, 2011

Monitor itpables activity in real time

Filed under: iptables, perl — lancevermilion @ 9:28 am

Here is a way to monitor iptables in realtime without needing an external program(s) or module(s). This is done using Perl and parsing the output from the iptables list utility.

A note from the original author:

To be effective, the xterm window needs to be at least as high as the output, else scrolling will ruin the visual effect. Also, the code may be iptables version-dependent, as it matches certain keywords for the formatting. Once started, it can be stopped with a ctl-C, which will restore some of the display settings

I can not take credit for writing. The original source for this is available at Perlmonks.org with the topic of Real-time Iptables Monitor and written by Dr. Mu.

The code:

#!/usr/bin/perl
use strict;
use warnings;
my @types = qw/nat mangle filter/;
$SIG{INT} = sub{print "\e[?25h\e[u"; exit}; 
print "\e[40;37m\e[2J\e[?25l";
while (1) {
  print "\e[0;0H";
  my %output = map {$_ => scalar `/sbin/iptables -t $_ -L -v -Z`} @types;
  foreach my $type (@types) {
    print "\e[01;34m------", uc($type), '-' x (73 - length($type)), "\n";
    $output{$type} =~ s/ pkts[^\n]*\n(\n|Zeroing)/$1/gs;
    foreach my $line (split /\n/, $output{$type}) {
      next if $line =~ m/^Zeroing/ || $line eq '';
      print $line =~ m/^\s*(\d+)/ || $line =~ m/(\d+) packets/
        ? ($1 > 0 
          ? ($line =~ m/DROP|DENY|REJECT/
            ? "\e[01;40;31m" 
            : "\e[01;40;32m")
          : "\e[00;40;37m")
        : "\e[00;40;33m";
      print "\e[K$line\e[01;40;37m\n"
    }
  }
  print "\e[s";
  sleep 1
}

Sample output:

------NAT----------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 173 packets, 22610 bytes)
Chain POSTROUTING (policy ACCEPT 107 packets, 7820 bytes)
Chain OUTPUT (policy ACCEPT 107 packets, 7820 bytes)
------MANGLE-------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 740 packets, 61407 bytes)
Chain INPUT (policy ACCEPT 709 packets, 58383 bytes)
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Chain OUTPUT (policy ACCEPT 959 packets, 457K bytes)
Chain POSTROUTING (policy ACCEPT 960 packets, 457K bytes)
------FILTER-------------------------------------------------------------------
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   722 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere            
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere            
Chain OUTPUT (policy ACCEPT 31157 packets, 13M bytes)
Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any 
    0     0 ACCEPT     esp  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     ah   --  any    any     anywhere             anywhere            
    2   394 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt:mdns 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ipp 
    6   328 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 
Advertisements

Blog at WordPress.com.