[PLUG] quickie iptables log scan scripts

[mikeraz at patch.com]

On Wed, May 22, 2002 at 10:29:00AM -0700, Paul Heinlein typed:
> With all the reports of that SQL Server script the kiddiez are using 
> these days -- and the continued Code Red scans that hit my box -- I'd 
> thought I'd whip up a couple little tools to give me some stats.
> [snip]

Another iptables tip:

Consider adding two chains to your installation called log-accept and log-deny
like:

    iptables -N log-accept
    iptables -A log-accept -j LOG --log-prefix "FIREWALL-ID-ACCEPT: " --log-level 6
    iptables -A log-accept -j ACCEPT
    iptables -N log-deny
    iptables -A log-deny -j LOG --log-prefix "FIREWALL-ID-DENY: " --log-level 6
    iptables -A log-deny -j DROP

Followup with replacing all '-j ACCEPT' and '-j DENY' with '-j log-accept' and 
'-j log-deny'

Then  `grep ACCEPT: | <one of Paul's scripts | other usefule script>` and check 
for unexpected traffic from a misplaced or misformed rule.  Or `grep DENY | ...` 
to search for traffic inadvertently being dropped.

In a business setting this will also allow you to quickly and authoritatively 
determine if someone's Internet problem is firewall related.  Not that anyone
every blames the network for a machine configuration error or other problem. :)



-- 
    Michael Rasmussen  aka  mikeraz
   Be appropriate && Follow your curiosity

   "They that give up essential liberty to obtain
   temporary safety, deserve neither liberty nor safety."
				-- Benjamin Franklin 	

   and the fortune cookie says:
There are few people more often in the wrong than those who cannot endure
to be thought so.