##########################################################################
# $Id: iptables,v 1.3 2006/01/16 18:40:31 kirk Exp $
##########################################################################
# $Log: iptables,v $
# Revision 1.3  2006/01/16 18:40:31  kirk
# fixed name to Logwatch (how I like it now)
#
# Revision 1.2  2005/12/06 02:35:43  bjorn
# Report icmp type properly, by Allen Kistler.
#
# Revision 1.1  2005/07/25 22:17:31  bjorn
# Moved iptables (and ipchains, ipfwadm) code to its own service (iptables).
#
##########################################################################
# iptables, ipchains, and ipfwadm script for Logwatch.
# Ipfwadm and ipchains are deprecated, but is included
# here for backwards compatibility.
#
# This script was extracted from the kernel script,
# which processed netfilter (iptables, ipchains, and
# ipfwadm) statements until kernel script Revision 1.29.
#
# Visit the Logwatch website at
#   http://www.logwatch.org
##########################################################################

use Logwatch ':ip';

$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
$MinFilter = $ENV{'iptables_host_min_count'} || 0;
$DoLookup = $ENV{'iptables_ip_lookup'}; $DoLookup = $DoLookup; # keep -w happy
$MaxFlood = 10;
$MaxNum =0;

sub lookupService {
   my ($port, $proto, $service);
   ($port, $proto) = ($_[0], $_[1]);
   if ($service = getservbyport ($port, $proto)) {
      return($service);
   } else {
      return($port);
   }
}

sub lookupProtocol {
   my ($proto, $name);
   $proto = $_[0];
   if ($name = getprotobynumber ($proto)) {
      return($name);
   } else {
      return($proto);
   }
}

sub lookupAction {
   my ($chain, $actionType);
   $chain = $_[0];

   # choose an action type
   if ( $chain =~ /reject/i ) {
      $actionType = "Rejected";
   } elsif ( $chain =~ /drop/i ) {
      $actionType = "Dropped";
   } elsif ( $chain =~ /deny/i ) {
      $actionType = "Denied";
   } elsif ( $chain =~ /denied/i ) {
      $actionType = "Denied";
   } elsif ( $chain =~ /accept/i ) {
      $actionType = "Accepted";
   } else {
      $actionType = "Logged";
   }

   return $actionType;
}

# SORT COMPARISONS
sub compStr {
   return $a cmp $b; 
}

sub compNum {
   return $a <=> $b;
}

while (defined($ThisLine = <STDIN>)) {
   chomp($ThisLine);
   next if ($ThisLine eq '');

   # the format for ulogd/ulogd.syslogmenu and messages differ in that
   # the earlier has no service name after the date.  So RemoveHeaders
   # doesn't work.  Therefore, we extract it here:
   $ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?//;

   # IPCHAINS 
   if( ($TU,$from,$port,$on) = ( $ThisLine =~ /IP fw-in deny \w+ (\w+) ([^:]+):\d+ ([^:]+):(\d+) / ) ){
      if($MaxNum < ++$TCPscan{$TU}{$from}) {
         $MaxNum = $TCPscan{$TU}{$from}
      }
      $port=0;
   } elsif ( ($chain,$action,$if,$proto,$fromip,$toip,$toport) = ( $ThisLine =~ /^Packet log: ([^ ]+) (\w+) (\w+) PROTO=(\d+) ([\d|\.]+):\d+ ([\d|\.]+):(\d+)/ ) ) {
      $actionType = lookupAction($action); 
      $ipt{$actionType}{$if}{$fromip}{$toip}{$toport}{$proto}{"$chain,$if"}++;   
   }
   # IPTABLES
   elsif (($chain,$ifin,$ifout,$fromip,$toip,$proto,$rest) = ($ThisLine =~ /^(.*?)\s*IN=(\w*).*?OUT=(\w*).*?SRC=([\w\.:]+).*?DST=([\w\.:]+).*?PROTO=(\w+)(.*)/ )) {

      # get a destination port number  (or icmp type) if there is one
      if (! ( ($toport) = ( $rest =~ /TYPE=(\w+)/ ) ) ) {
         if (! ( ($toport) = ( $rest =~ /DPT=(\w+)/ ) ) ) {
            $toport = 0;
         }
      }

      # get the action type
      $actionType = lookupAction($chain);

      # determine the dominant interface 
      if ($ifin  =~ /\w+/ && $ifout  =~ /\w+/) {
         $interface = $ifin;
      } elsif ($ifin =~ /\w+/) {
         $interface = $ifin;
         $ifout = "none"; 
      } else {
         $interface = $ifout;
         $ifin = "none";
      }

      if ($chain eq "") {
         $chain_info = "";
      } else {
         $chain_info = "(" . $chain . ") ";
      }

      # add the packet
#      $ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{"$chain,$ifin,$ifout"}++;   
      $ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{$chain_info}++;   
   }   
}

# IPCHAINS
if (keys %TCPscan and $MaxNum>$MaxFlood) {
   print "\nWarning: ipfwadm scan detected on:\n";
   foreach $ThisOne (sort compStr keys %TCPscan) {
      print "   " . $ThisOne . " from:\n";
      foreach $Next (sort compStr keys %{$TCPscan{$ThisOne}}) {
         $TCPscan{$ThisOne}{$Next}>$MaxFlood &&
            print "      " . LookupIP($Next). ": $TCPscan{$ThisOne}{$Next} Time(s)\n";
      }
   }       
}

# IPCHAINS / IPTABLES
if (keys %ipt) {
   foreach $actionType (sort compStr keys %ipt) {
      foreach $interface (sort compStr keys %{$ipt{$actionType}}) {
         $outputMain = '';
         $interfaceCount = 0;
         foreach $fromip (sort SortIP keys %{$ipt{$actionType}{$interface}}) {
            $outputSection = '';
            $fromHostCount = 0;
            $from = LookupIP($fromip);
            undef %port_list;
            foreach $toip (sort SortIP keys %{$ipt{$actionType}{$interface}{$fromip}}) {
               $toHostCount = 0;
               $to = LookupIP($toip);
               $outputServices = '';
               foreach $toport (sort compNum keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}}) {
                  foreach $proto (sort compStr keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}}) {                                     
                     # determine the protocol
                     if ( $proto =~ /^\d+$/ ) {
                        $protocol = lookupProtocol($proto);
                     } else {
                        $protocol = lc($proto);
                     } 

                     # determine the name of the service
                     $service = lookupService($toport,$protocol);

                     foreach $details (sort keys %{$ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}}) {
                        $packetCount = $ipt{$actionType}{$interface}{$fromip}{$toip}{$toport}{$proto}{$details};
                        $toHostCount += $packetCount;
                        if ( $Detail > 0 ) {
                           $outputServices .= "         Service: $service ($protocol/$toport) $details- $packetCount " . ( ( $packetCount > 1 ) ? "packets\n" : "packet\n" );
                        } else {
                           ${ $port_list{ $protocol } }{$toport}++;
                        }
                     }
                  }
               }
               $fromHostCount += $toHostCount;
               if ( $Detail > 0 ) { $outputSection .= "      To $to - $toHostCount " . ( ( $toHostCount > 1 ) ? "packets\n" : "packet\n" ); }
               $outputSection .= $outputServices;
            }
            $interfaceCount += $fromHostCount;
            if ($fromHostCount >= $MinFilter) {
               if ($Detail > 0 ) {
                  $outputMain .= "   From $from - $fromHostCount " . ( ( $fromHostCount > 1 ) ? "packets\n" : "packet\n" );
               } else {
                  $outputMain .= "  From $from - $fromHostCount " .  ( ($fromHostCount > 1) ? "packets" : "packet" ) .  " to " ;
                  foreach $protocol ( keys %port_list ) {
                     if ( $#{ keys %{$port_list { $protocol } } } > 10 ) {
                        $outputMain .= $#{ $port_list{ $protocol } } ." $protocol ports";
                     } else {
                        $outputMain .= "$protocol(" . join(",", sort compNum keys %{ $port_list{ $protocol } } ) . ") " ;
                     }
                  }
                  $outputMain .="\n";
               }
            }
            $outputMain .= $outputSection;
         }
         print "\n$actionType $interfaceCount " . ( ( $interfaceCount > 1 ) ? "packets" : "packet" ) . " on interface $interface\n"; 
         print $outputMain;
      }
   }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et