Re: Run a userspace script upon rule matching?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 08.03.2012 23:02, schrieb Andrew Beverley:

On Thu, 2012-03-08 at 22:47 +0100, tobi wrote:

okay more details about my intention: I got a script that checks some
logs and acts upon violation by adding IPs to a sperate chain via
iptables -A OFFENDERS -s IP -j DROP. So such IPs get blocked. Now I
thought about how could I find out if IPs from OFFENDERS come again. So
I put another chain to iptables (before the OFFENDERS), put the IPs from
OFFENDERS and set the log target for each rule. But then I need a script
that reads the logs and searches for IPs from OFFENDERS. Too complex for
me :-)
So I thought it should somehow be possible to achieve that quite easy IF
I could add a script to be executed when a rule (that now goes to log
target) matches. Thats were I stand now :-)
All I "need" would be a way to excute a simple mailx command with the
offending IP and send a mail to myself

Okay, a few ideas then:

1. Log the packets with a specific prefix, and use rsyslog with the Mail
Output Module and relevant configuration to alert you to such logs:

That's how I actually do it: Log it with a prefix, I just use syslog-ng


http://www.rsyslog.com/doc/ommail.html

2. Use ULOGD. Never really used it myself, but you might be able to
create some sort of userspace program that alerts you.
I tried to find information whether ULOGD can really execute external commands. For me sounds more like loggin to databases. But while googling for ULOGD I found spectre, which seems to have an built-in plugin EXEC which can run commands. I will give spectre the first chance and if it's not working I try with ULOGD 
3. Log the IP addresses to an IPSET, and use a cron job to check the
list of IP addresses in the set.

Just thoughts, but hopefully one of the above will work.

Andy


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Thanks a lot for your ideas. I think I can somehow achieve it. Although I do not know for sure which way to take. First try spectre 

Cheers

tobi
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux