Here is a way to monitor iptables in realtime without needing an external program(s) or module(s). This is done using Perl and parsing the output from the iptables list utility.
A note from the original author:
To be effective, the xterm window needs to be at least as high as the output, else scrolling will ruin the visual effect. Also, the code may be iptables version-dependent, as it matches certain keywords for the formatting. Once started, it can be stopped with a ctl-C, which will restore some of the display settings
I can not take credit for writing. The original source for this is available at Perlmonks.org with the topic of Real-time Iptables Monitor and written by Dr. Mu.
The code:
#!/usr/bin/perl
use strict;
use warnings;
my @types = qw/nat mangle filter/;
$SIG{INT} = sub{print "\e[?25h\e[u"; exit};
print "\e[40;37m\e[2J\e[?25l";
while (1) {
print "\e[0;0H";
my %output = map {$_ => scalar `/sbin/iptables -t $_ -L -v -Z`} @types;
foreach my $type (@types) {
print "\e[01;34m------", uc($type), '-' x (73 - length($type)), "\n";
$output{$type} =~ s/ pkts[^\n]*\n(\n|Zeroing)/$1/gs;
foreach my $line (split /\n/, $output{$type}) {
next if $line =~ m/^Zeroing/ || $line eq '';
print $line =~ m/^\s*(\d+)/ || $line =~ m/(\d+) packets/
? ($1 > 0
? ($line =~ m/DROP|DENY|REJECT/
? "\e[01;40;31m"
: "\e[01;40;32m")
: "\e[00;40;37m")
: "\e[00;40;33m";
print "\e[K$line\e[01;40;37m\n"
}
}
print "\e[s";
sleep 1
}
Sample output:
------NAT----------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 173 packets, 22610 bytes)
Chain POSTROUTING (policy ACCEPT 107 packets, 7820 bytes)
Chain OUTPUT (policy ACCEPT 107 packets, 7820 bytes)
------MANGLE-------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 740 packets, 61407 bytes)
Chain INPUT (policy ACCEPT 709 packets, 58383 bytes)
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Chain OUTPUT (policy ACCEPT 959 packets, 457K bytes)
Chain POSTROUTING (policy ACCEPT 960 packets, 457K bytes)
------FILTER-------------------------------------------------------------------
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 722 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 31157 packets, 13M bytes)
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT esp -- any any anywhere anywhere
0 0 ACCEPT ah -- any any anywhere anywhere
2 394 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipp
6 328 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Gheek.net 