#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. Me='syncapture' MyVersion='0.4.0' DefaultActions='ULOG' [ -r /etc/modwall/modwall.conf ] && . /etc/modwall/modwall.conf [ -r /etc/modwall/$Me.conf ] && . /etc/modwall/$Me.conf [ -r ${MWLibDir:-'/usr/lib/modwall/'}/modwalllib ] && . ${MWLibDir:-'/usr/lib/modwall/'}/modwalllib if [ -z "$MWLibVer" ]; then echo 'It looks like modwalllib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 $IptablesBin $AppIn INPUT -i \! lo -p tcp --tcp-flags SYN SYN -j $Me $IptablesBin $AppIn FORWARD -p tcp --tcp-flags SYN SYN -j $Me $IptablesBin $AppIn OUTPUT -p tcp --tcp-flags SYN SYN -j $Me ;; unlink) $IptablesBin -D INPUT -i \! lo -p tcp --tcp-flags SYN SYN -j $Me $IptablesBin -D FORWARD -p tcp --tcp-flags SYN SYN -j $Me $IptablesBin -D OUTPUT -p tcp --tcp-flags SYN SYN -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs='Syncapture' $Ipt -A $Me $Tail ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -p tcp --tcp-flags SYN SYN -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -p tcp --tcp-flags SYN SYN -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -p tcp --tcp-flags SYN SYN -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, modwalllib $MWLibVer" >&2 ;; help) DefaultHelp cat <&2 The $Me module sends all packets with SYN set up to userspace to be stored in a libpcap file (or wherever ulogd decides to send it). This will capture SYN and SYN/ACK packets that tools like p0f and ettercap like to do their OS fingerprinting, as well as providing the firewall administrator with essentially enough packet logging to be able to reconstruct all TCP connection attempts (both successful and not). Note that the third packet of a three way handshake is not saved to the pcap file. In addition to the normal SYN and SYN/ACK packets, this will capture _any_ packets with the SYN bit set, including SYN/FIN, SYN/RST, etc. If Ulogd is not running or not available, you will probably want to change the default action to LOG (but remember that the rate limiting used on LOG may lose some events). This module carries a small risk of filling up your log drive if you come under attack. With that warning, it should be safe to use otherwise. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done