Blob Blame History Raw
# IP Tables State (iptstate)

Please see the LICENSE file for license information.


IP Tables State (iptstate) was originally written to implement the "state top"
feature of IP Filter (see "The Idea" below) in IP Tables. "State top" displays
the states held by your stateful firewall in a top-like manner.

Since IP Tables doesn't have a built in way to easily display this information
even once, an option was added to just have it display the state table once.
Features include:
* Top-like realtime state table information
* Sorting by any field
* Reversible sorting
* Single display of state table
* Customizable refresh rate
* Display filtering
* Color-coding
* Open Source (specifically I'm using the zlib license)
* much more...

Make sure you have some version of curses installed (for most users this is
probably ncurses). Note that if you are using vendor packages you will most
likely need the packaged with '-dev' on the end of of it (i.e. ncurses-dev).

Starting with version 2.2.0 you also need libnetfilter_conntrack version 0.0.50
or later. These libraries also require nf_conntrack_netlink and nfnetlink
support in your kernel.


### The quick version:

For most people the following should do all you need:

    make install # this must be done as root

### The long version:

#### Configuration

The program is only one c++ source file, so the compile is very simple. For
this reason there is no config file.  The defaults in the Makefile should be
fine, but if you want to change something you can change where iptstate gets
installed by changing the "SBIN" variable in your environment. I can't imagine
a reason but if you have 'install' installed in a weird place change the
INSTALL variable in your environment. Other than that nothing should need
tweaking. Obviously advanced users may wish to do other stuff, but we'll leave
that as an excersize to the reader.

#### Compiling

The compiling should be as simple as running 'make.' If this doesn't work, feel
free to drop me an email, BUT MAKE SURE you put "IPTSTATE:" in the subject. In
the email include: Distribution, kernel version, make version, gcc version,
libc version, and the error messages.

Package maintainers may wish to override CXXFLAGS, and can do so like so:

    # CXXFLAGS=-O3 make

and/or use "make strip" which will build iptstate and then strip it.

If you get errors like: passing `in_addr *' as argument
    1 of `gethostbyaddr(const char *, size_t, int)'

then you need to upgrade your glibc. This is an important thing to keep
up-to-date anyway.

#### Installing

IPTState installs in /usr/sbin. This is because it should be a utility for the
superuser. You need root access (or CAP_NET_ADMIN) for iptstate to get the data
it needs anyway.  Installing should be as simple as 'make install' as root. If
this fails, feel free to do:

    # cp iptstate /usr/sbin/iptstate
    # chmod 755 /usr/sbin/iptstate
    # chown root:bin /usr/sbin/iptstate
    # cp iptstate.8 /usr/share/man/man8/iptstate.8
    # chmod 444 /usr/share/man/man1/iptstate.8

And that should do it. If 'make install' fails feel free to drop me an email
provided you put "IPTSTATE:" in the subject. Please see the BUGS file on how to
send proper bug reports.


IPTables State is extremely simple to use. Most of the time what you'll want is
just the command 'iptstate' as root. This will launch you into the 'statetop'
mode. In here, your state table is being sorted by Source IP. To change the
sorting, on the fly, type 'b.' This will rotate through the various sorting
possibilities. You can quit by typing 'q.' You can also change the sorting with
the -b ("sort BY") option. The -b option takes d (Destination IP), D
(Destination Port), S (Source IP), p (protocol), s (state), and t (TTL) as it's
possible options.  To sort by Source IP, just don't specify -b.

You can also change the refresh rate of the statetop by -R followed by an
integer. The integer represents the refresh rate in seconds.

To get help, hit 'h' from withint iptstate, or run iptstate with the '--help'

To get a quick look at what's going across your firewall, try iptstate -1. This
is "single run" mode. It will just print out your state table at the moment you
requested it. This is where -b comes in handy. Again, the default sort is by
Source IP.

NOTE WELL: This is not meant to be a comprehensive guide. There are many other
features - check the man page, the -h option, and the interactive help page
within iptstate for more information. But this should give you the basics.


There is a list of features I plan and don't plan to implement in the WISHLIST


The idea of statetop comes from IP Filter by Darren Reed.

This package's main purpose is to provide a state-top type interface for IP
Tables. I've added in the "single run" option since there's no nice way to do
that with IP Tables either.


IPTState was written by me, Phil Dibowitz. My day job is large-scale system
administration and automation. Outside of work I maintain several open source
projects. You can find out more about me at

Phil Dibowitz
phil AT ipom DOT com