Low tech iptables+ulog

Firewall rules:

#!/bin/bash
#

IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig

EXTIF="eth0"
echo " External Interface: $EXTIF"

EXTIP="`$IFCONFIG $EXTIF | $AWK
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo " External IP: $EXTIP"
echo " ---"

LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"

# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"

# Flush all chains
$IPTABLES -F

echo " Creating a DROP chain.."
$IPTABLES -N drop-it 2> /dev/null
#$IPTABLES -A drop-it -j LOG --log-level info
$IPTABLES -A drop-it -j DROP

echo " Creating a DROP and LOG chain.."
$IPTABLES -N drop-and-log-it 2> /dev/null
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j ULOG --ulog-nlgroup 1 --ulog-prefix DROP
$IPTABLES -A drop-and-log-it -j DROP

#Allow anything on loopback
$IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPTABLES -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT

#Allow various traffic from our network
$IPTABLES -A INPUT -p tcp --dport ssh -d $EXTIP -s 130.126.184.0/21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 81 -d $EXTIP -j ACCEPT

#Allows for ntp
$IPTABLES -A INPUT -p UDP --sport 123 --dport 1024:65535 -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p UDP --sport 123 --dport 123 -d $EXTIP -j ACCEPT
#Allows for named
$IPTABLES -A INPUT -p UDP --sport 53 --dport 1024:65535 -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p UDP --sport 53 --dport 53 -d $EXTIP -j ACCEPT

#Drop broadcasts
$IPTABLES -A INPUT -d 130.126.191.255 -j DROP
$IPTABLES -A INPUT -d 255.255.255.255 -j DROP
#Drop other annoying ports
$IPTABLES -A INPUT -p tcp -m multiport --destination-ports 113,139 -j DROP
$IPTABLES -A INPUT -p udp -m multiport --destination-ports 67,137,138,513,520,631 -j DROP
# Only a single entry to rule them all and in the darkness see them
# (C) Bob Toxen, Real World Linux Security, Sec Ed, pg 473
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -j drop-and-log-it
#$IPTABLES -A OUTPUT -j ACCEPT
#$IPTABLES -A FORWARD -j ACCEPT

perl scripts:
Sorted by timestamp:

#!/usr/bin/perl
#

use DBI;
use Net::DNS;

$VERSION = sprintf "%d.%03d", q$Revision: 1.12 $ =~ /: (d+).(d+)/;

my $res = Net::DNS::Resolver->new();

my $database = "ulogd";
my $user = "username";
my $password = "password";

my $dbh = DBI->connect("DBI:mysql:$database",
$user,
$password,
{PrintError => 0});

die "Unable for connect to server $DBI::errstr"
unless $dbh;

my $rc;
my $sth;
my $rowcount = 0;
my $query, $hostname;

my $hilite = "#1b7de3";

#$statement = "select FROM_UNIXTIME(oob_time_sec),";
#$statement .= "INET_NTOA(ip_saddr),INET_NTOA(ip_daddr),";
#$statement .= "tcp_dport,udp_dport,ip_protocol from ulog;";

$statement = "select COUNT(id) as Count,FROM_UNIXTIME(MIN(oob_time_sec)) as MIN, FROM_UNIXTIME(MAX(oob_time_sec)) as MAX,";
$statement .= "INET_NTOA(ip_saddr), tcp_dport, udp_dport, icmp_type from ulog ";
$statement .= "where FROM_UNIXTIME(oob_time_sec) > DATE_SUB(CURDATE(), INTERVAL 28 DAY) ";
$statement .= "group by ip_saddr,tcp_dport,udp_dport ";
$statement .= "order by MAX desc;";

$sth = $dbh->prepare($statement);

$current = localtime();
print "PortSentry Repeat Offenders: $currentn";
print "

Blocked Hosts List o
n tuxedo
This table is automatically generated from iptables logs on Bullseye.
n";
print "Blocked hosts lists: Sorted by last scan or So
rted by IP Address

n";
print "Port 631 (IPP) can be safely ignored.
This is not a p
roduction service!

This is only the last 28 days of data.

n";

if($sth->execute) {
print "

n";
print "

IP Hostname First Last TCP Port UDP Port ICMP Countn";
while(@row = $sth->fetchrow_array) {
$rowcount++;
# Attempt to resolve addrs
$hostname = $row[3];
if ($row[3] =~ '130.126.') {
$query = $res->search($row[3]);
if ($query) {
#$hostname = $query->type;
foreach my $rr ($query->answer) {
next unless $rr->type eq "PTR";
$hostname = $rr->ptrdname, "n";
}
}
}
# 0 = count, 1 = first, 2 = last, 3 = ip, 4 = tcp,
# 5 = udp, 6 = icmp
$ip = $row[3];
if ($hostname =~ "urh.uiuc.edu") {
$bg = $hilite;
}
else {
$bg = "FFFFFF";
}
if ($hostname =~ "uiuc.edu") {
print "

$ip";
}
else {
print "

$ip";
}
print "
$hostname $row[1] $row[2]
";
if ($row[4] != "") {
print "
$row[4]n";
}
else {
print "
$row[4]n";

}
if ($row[5] != "") {
print "

$row[5]n";
}
else {
print "
$row[5]n";
}
if ($row[6] != "") {
print "
$row[6]n";
}
else {
print "
$row[6]n";
}
print "
$row[0]n";
}
print "

n";
print "Total row count: $rowcountn";
}

$current = localtime();
print "


Generated: $current
Version: $VERSIONn";

Sorted by ip address:

#!/usr/bin/perl
#

use DBI;
use Net::DNS;

$VERSION = sprintf "%d.%03d", q$Revision: 1.7 $ =~ /: (d+).(d+)/;

my $res = Net::DNS::Resolver->new();

my $database = "ulogd";
my $user = "username";
my $password = "password";

my $dbh = DBI->connect("DBI:mysql:$database",
$user,
$password,
{PrintError => 0});

die "Unable for connect to server $DBI::errstr"
unless $dbh;

my $rc;
my $sth;
my $rowcount = 0;
my $query, $hostname;

my $hilite = "#1b7de3";

#$statement = "select FROM_UNIXTIME(oob_time_sec),";
#$statement .= "INET_NTOA(ip_saddr),INET_NTOA(ip_daddr),";
#$statement .= "tcp_dport,udp_dport,ip_protocol from ulog;";

$statement = "select COUNT(id) as Count,FROM_UNIXTIME(MIN(oob_time_sec)) as MIN, FROM_UNIXTIME(MAX(oob_time_sec)) as MAX,";
$statement .= "INET_NTOA(ip_saddr), tcp_dport, udp_dport, icmp_type from ulog ";
$statement .= "where FROM_UNIXTIME(oob_time_sec) > DATE_SUB(CURDATE(), INTERVAL 28 DAY) ";
$statement .= "group by ip_saddr,tcp_dport,udp_dport ";
$statement .= "order by ip_saddr;";

$sth = $dbh->prepare($statement);

$current = localtime();
print "PortSentry Repeat Offenders: $currentn";
print "

Blocked Hosts List o
n tuxedo
This table is automatically generated from iptables logs on Bullseye.
n";
print "Blocked hosts lists: Sorted by last scan or So
rted by IP Address

n";
print "Port 631 (IPP) can be safely ignored.
This is not a p
roduction service!
This is only the last 28 days of data.

n";

if($sth->execute) {
print "

n";
print "

IP Hostname First Last TCP Port UDP Port ICMP Countn";
while(@row = $sth->fetchrow_array) {
$rowcount++;
# Attempt to resolve addrs
$hostname = $row[3];
if ($row[3] =~ '130.126.') {
$query = $res->search($row[3]);
if ($query) {
#$hostname = $query->type;
foreach my $rr ($query->answer) {
next unless $rr->type eq "PTR";
$hostname = $rr->ptrdname, "n";
}
}
}
# 0 = count, 1 = first, 2 = last, 3 = ip, 4 = tcp, 5 = udp, 6 = icmp
$ip = $row[3];
if ($hostname =~ "urh.uiuc.edu") {
$bg = $hilite;
}
else {
$bg = "FFFFFF";
}
if ($hostname =~ "uiuc.edu") {
print "

$ip";
}
else {
print "

$ip";
}
print "
$hostname $row[1] $row[2]
";
print "
$row[4] $row[5] $row[6]$row[0]n";
}
print "

n";
print "Total row count: $rowcountn";
}

$current = localtime();
print "


Generated: $current
Version: $VERSIONn";