This may come in handy. Linux ipchains masquerading makes for a decent poor
man's semi-stateful firewall, but introduces a particular problem to the analyst: When
reviewing firewall or external (untrusted) IDS logs, how to correlate the high port
numbers with internal hosts? The following shell script will create a gzipped log of
the ip masq (NAT) table, updated periodically. The output of this is ugly, but does
the trick.
This script is pretty basic. Just tweak your LOGFILE and MAX values to suit your
taste and run it with your preferred logging interval. I suggest 59 seconds, as you
should catch all icmp, udp and tcp masqings if you haven't altered the default
ipchains -M
timeout settings. I set the MAX to 160 because of the default udp timeout value. I
suggest you read the ip masquerading howto if you aren't familiar with how this works.
Suggestions are welcome.
George Bakos - Systems Security Engineer
Electronic Warfare Associates - IIT
[EMAIL PROTECTED]
p.s. Don't forget to add a /var/log/masqtrk section to your /etc/logrotate.conf
#!/bin/sh
# Pull a copy of the masquerade (NAT) table periodically and
# gzip it to a file for use in correlating logs against internal
# host ip addresses.
# Revision history
# 10/1/2000 14:20 A conversation with Bill Scherr ([EMAIL PROTECTED])
# 10/2/2000 00:30 First (this) attempt
# Copyright (C) 2000 George Bakos ([EMAIL PROTECTED])
# The author requires that any copies or derived works include this
# copyright notice; no other restrictions are placed on its use.
#
# Source function library.
.. /etc/rc.d/init.d/functions
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
MAX=160
LOGFILE=/var/log/masqtrk
INTERVAL=$1
#Do ipchains and gzip exist?
[ -x /sbin/ipchains ] || [ -x /usr/sbin/ipchains ] || exit 1
[ -x /bin/gzip ] || [ -x /usr/bin/gzip ] || exit 1
if [ $1 > 0 ] ; then
case "$1" in
stop)
echo "Shutting down masqtrk"
killproc masqtrk
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/masqtrk
;;
status)
status masqtrk
RETVAL=$?
;;
*)
if [ $INTERVAL -le $MAX ] ; then
#Check to see if masqtrak is already running
if [ ! -f /var/lock/subsys/masqtrk ] ; then
touch /var/lock/subsys/masqtrk
#Start the loop and get a timestamp for each cycle
while [ 1 = 1 ] ; do
DATE=$(date +'%k:%M:%S %D')
# All we need is the data...none of the field labels, please.
# The next command substitution removes all CR/LFs and lumps
# everthing together. This is a pain with shell proggies.
# Maybe I should break out the camel book and do it right.
LIST=$(ipchains -L -M -n | egrep -v '(masq|prot)')
echo -e $DATE \\n $LIST | gzip >> $LOGFILE
sleep $INTERVAL
done
else
RETVAL=$?
echo "masqtrk is already running"
fi
else
RETVAL=$?
echo "$INTERVAL is not a valid interval"
echo "Usage: masqtrk {logging interval from 1 to $MAX seconds | stop |
status}"
fi
;;
esac
else
RETVAL=$?
echo "Usage: masqtrk {logging interval from 1 to $MAX seconds | stop | status}"
fi
exit $RETVAL
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
