It is always a good idea , when implementing open source firewall implementations (iptables, pf, etc), to build in as much reporting and verbosity as possible.
Having verbose reports on the state of your firewall, intrusion attempts and other information is key to ensuring the health and integrity of your network.
Somewhere along the line, we wrote a script to provide daily reports on intrusion attempts to penetrate our network — this usually happens when someone exceeds certain connection thresholds.
It may not be the most informative data, but the script can be modified to provide other important statistical information. It can also be modified to be used with other firewall implementations. I’m certain it wouldn’t be hard to convert this script to utilise iptables.
Below you will find the script itself — it can be set to run daily as a cronjob perhaps. Also note that the script tries to resolve a hostname for the IP address to at least provide some quick & easy information to the security administrators when determining coordinated attacks or attacks coming from compromised systems.
#!/bin/bash # SDH PFCTL Daily Hack Table check yesterday1=`date -v -1d +"%b"` yesterday2=`date -v -1d +"%e"` yesterday_display=`date -v -1d +"%b %d %Y"` echo "" > /var/log/tablecheck.log /sbin/pfctl -vvsTables > /var/log/pfctltables.log echo "Firewall Table Audit: " $yesterday_display >> /var/log/tablecheck.log echo -e "----------------------------------">> /var/log/tablecheck.log echo -e "" >> /var/log/tablecheck.log for obj0 in $(cat /var/log/pfctltables.log | grep "-pa-r-" | awk -F "t" '{printf "%sn", $2}'); do echo -e $obj0 "TABLE" >> /var/log/tablecheck.log echo -e "--------------" >> /var/log/tablecheck.log # this is because the date command outputs single digit non-aligned right, but pfctl doesnt display that way :( if [ "$yesterday2" -le 9 ] then /sbin/pfctl -t $obj0 -Tshow -vv | grep -A 4 -B 1 "$yesterday1 $yesterday2" >> /var/log/tablecheck.log 2>&1 else /sbin/pfctl -t $obj0 -Tshow -vv | grep -A 4 -B 1 "$yesterday1 $yesterday2" >> /var/log/tablecheck.log 2>&1 fi if [ "$?" -eq 1 ] then echo -e "No values found for yesterday" >> /var/log/tablecheck.log echo -e "" >> /var/log/tablecheck.log else echo -e "Hostnames :" >> /var/log/tablecheck.log for obj1 in $(/sbin/pfctl -t $obj0 -Tshow -vv | grep -B 1 "$yesterday1 $yesterday2" | grep -v "Cleared" | grep -v "--"); do iphostnm=`/usr/bin/nslookup $obj1 | grep -A1 "Non-authoritative answer" | grep "name" | awk -F "=" '{printf "%sn", $2}'` if [ "$?" -eq 0 ] then echo -e "$obj1 / $iphostnm" >> /var/log/tablecheck.log else echo -e "$obj1 / No host name found" >> /var/log/tablecheck.log fi done echo -e "" >> /var/log/tablecheck.log fi done cat /var/log/tablecheck.log | mail -s "Firewall Table Report" you@youremail.com
Enjoy!