|
Packit |
021a8a |
# IP Tables State (iptstate)
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
Please see the LICENSE file for license information.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
## WHAT IS IP TABLES STATE?
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
IP Tables State (iptstate) was originally written to implement the "state top"
|
|
Packit |
021a8a |
feature of IP Filter (see "The Idea" below) in IP Tables. "State top" displays
|
|
Packit |
021a8a |
the states held by your stateful firewall in a top-like manner.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
Since IP Tables doesn't have a built in way to easily display this information
|
|
Packit |
021a8a |
even once, an option was added to just have it display the state table once.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
Features include:
|
|
Packit |
021a8a |
* Top-like realtime state table information
|
|
Packit |
021a8a |
* Sorting by any field
|
|
Packit |
021a8a |
* Reversible sorting
|
|
Packit |
021a8a |
* Single display of state table
|
|
Packit |
021a8a |
* Customizable refresh rate
|
|
Packit |
021a8a |
* Display filtering
|
|
Packit |
021a8a |
* Color-coding
|
|
Packit |
021a8a |
* Open Source (specifically I'm using the zlib license)
|
|
Packit |
021a8a |
* much more...
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
## PRE-INSTALATION
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
Make sure you have some version of curses installed (for most users this is
|
|
Packit |
021a8a |
probably ncurses). Note that if you are using vendor packages you will most
|
|
Packit |
021a8a |
likely need the packaged with '-dev' on the end of of it (i.e. ncurses-dev).
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
Starting with version 2.2.0 you also need libnetfilter_conntrack version 0.0.50
|
|
Packit |
021a8a |
or later. These libraries also require nf_conntrack_netlink and nfnetlink
|
|
Packit |
021a8a |
support in your kernel.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
## INSTALLATION
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
### The quick version:
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
For most people the following should do all you need:
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
make
|
|
Packit |
021a8a |
make install # this must be done as root
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
### The long version:
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
#### Configuration
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
The program is only one c++ source file, so the compile is very simple. For
|
|
Packit |
021a8a |
this reason there is no config file. The defaults in the Makefile should be
|
|
Packit |
021a8a |
fine, but if you want to change something you can change where iptstate gets
|
|
Packit |
021a8a |
installed by changing the "SBIN" variable in your environment. I can't imagine
|
|
Packit |
021a8a |
a reason but if you have 'install' installed in a weird place change the
|
|
Packit |
021a8a |
INSTALL variable in your environment. Other than that nothing should need
|
|
Packit |
021a8a |
tweaking. Obviously advanced users may wish to do other stuff, but we'll leave
|
|
Packit |
021a8a |
that as an excersize to the reader.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
#### Compiling
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
The compiling should be as simple as running 'make.' If this doesn't work, feel
|
|
Packit |
021a8a |
free to drop me an email, BUT MAKE SURE you put "IPTSTATE:" in the subject. In
|
|
Packit |
021a8a |
the email include: Distribution, kernel version, make version, gcc version,
|
|
Packit |
021a8a |
libc version, and the error messages.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
Package maintainers may wish to override CXXFLAGS, and can do so like so:
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
# CXXFLAGS=-O3 make
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
and/or use "make strip" which will build iptstate and then strip it.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
If you get errors like:
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
iptstate.cc:286: passing `in_addr *' as argument
|
|
Packit |
021a8a |
1 of `gethostbyaddr(const char *, size_t, int)'
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
then you need to upgrade your glibc. This is an important thing to keep
|
|
Packit |
021a8a |
up-to-date anyway.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
#### Installing
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
IPTState installs in /usr/sbin. This is because it should be a utility for the
|
|
Packit |
021a8a |
superuser. You need root access (or CAP_NET_ADMIN) for iptstate to get the data
|
|
Packit |
021a8a |
it needs anyway. Installing should be as simple as 'make install' as root. If
|
|
Packit |
021a8a |
this fails, feel free to do:
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
# cp iptstate /usr/sbin/iptstate
|
|
Packit |
021a8a |
# chmod 755 /usr/sbin/iptstate
|
|
Packit |
021a8a |
# chown root:bin /usr/sbin/iptstate
|
|
Packit |
021a8a |
# cp iptstate.8 /usr/share/man/man8/iptstate.8
|
|
Packit |
021a8a |
# chmod 444 /usr/share/man/man1/iptstate.8
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
And that should do it. If 'make install' fails feel free to drop me an email
|
|
Packit |
021a8a |
provided you put "IPTSTATE:" in the subject. Please see the BUGS file on how to
|
|
Packit |
021a8a |
send proper bug reports.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
## USAGE
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
IPTables State is extremely simple to use. Most of the time what you'll want is
|
|
Packit |
021a8a |
just the command 'iptstate' as root. This will launch you into the 'statetop'
|
|
Packit |
021a8a |
mode. In here, your state table is being sorted by Source IP. To change the
|
|
Packit |
021a8a |
sorting, on the fly, type 'b.' This will rotate through the various sorting
|
|
Packit |
021a8a |
possibilities. You can quit by typing 'q.' You can also change the sorting with
|
|
Packit |
021a8a |
the -b ("sort BY") option. The -b option takes d (Destination IP), D
|
|
Packit |
021a8a |
(Destination Port), S (Source IP), p (protocol), s (state), and t (TTL) as it's
|
|
Packit |
021a8a |
possible options. To sort by Source IP, just don't specify -b.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
You can also change the refresh rate of the statetop by -R followed by an
|
|
Packit |
021a8a |
integer. The integer represents the refresh rate in seconds.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
To get help, hit 'h' from withint iptstate, or run iptstate with the '--help'
|
|
Packit |
021a8a |
option.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
To get a quick look at what's going across your firewall, try iptstate -1. This
|
|
Packit |
021a8a |
is "single run" mode. It will just print out your state table at the moment you
|
|
Packit |
021a8a |
requested it. This is where -b comes in handy. Again, the default sort is by
|
|
Packit |
021a8a |
Source IP.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
NOTE WELL: This is not meant to be a comprehensive guide. There are many other
|
|
Packit |
021a8a |
features - check the man page, the -h option, and the interactive help page
|
|
Packit |
021a8a |
within iptstate for more information. But this should give you the basics.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
## DESIRED FEATURES
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
There is a list of features I plan and don't plan to implement in the WISHLIST
|
|
Packit |
021a8a |
file.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
## THE IDEA
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
The idea of statetop comes from IP Filter by Darren Reed.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
This package's main purpose is to provide a state-top type interface for IP
|
|
Packit |
021a8a |
Tables. I've added in the "single run" option since there's no nice way to do
|
|
Packit |
021a8a |
that with IP Tables either.
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
## THE AUTHOR
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
IPTState was written by me, Phil Dibowitz. My day job is large-scale system
|
|
Packit |
021a8a |
administration and automation. Outside of work I maintain several open source
|
|
Packit |
021a8a |
projects. You can find out more about me at http://www.phildev.net/
|
|
Packit |
021a8a |
|
|
Packit |
021a8a |
Phil Dibowitz
|
|
Packit |
021a8a |
phil AT ipom DOT com
|