How to launch a user script when an iptables rule is matched

[Juglar]

Hi:

I have seen that it is possible to add an IP to an ipset set when an iptables rule is matched. Would it be similarly possible to launch a user script when an iptables rule is matched (maybe with a special kind of target)?

I suppose it could be done from a periodically (cron) run script which polls de ipset, but I would prefer an asyncronous triggering for not loading the cpu and responding faster.

Any idea?

Thanks.

 

[Martineau]

I have seen that it is possible to add an IP to an ipset set when an iptables rule is matched. Would it be similarly possible to launch a user script when an iptables rule is matched (maybe with a special kind of target)?

I suppose it could be done from a periodically (cron) run script which polls de ipset, but I would prefer an asyncronous triggering for not loading the cpu and responding faster.

Any idea?

Well there isn't a 'special target' as far as I am aware but I use a crude method to monitor Syslog messages for stalled VPN connections and run script ' /jffs/scripts/VPN_ClientSwitch.sh', so you too could use a custom chain so you can generate a crude trigger for the script

e.g. Custom IPTABLES chain

iptables --line -nvL RunScript99

Chain RunScript99 (0 references)
num   pkts bytes target     prot opt in     out     source               destination  
1        1   100 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW add-set WhitelistSRCPort src,dst
2        1   100 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW LOG flags 0 level 0 prefix "RunScript99 "

and in Syslog

May  5 18:20:42 RT-AC68U kern.warn kernel: RunScript 99IN=eth0 OUT= MAC=ac:9e:17:7e:e4:a0:28:8a:1c:ea:be:72:08:00 SRC=88.247.165.238 DST=78.147.229.29 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61925 PROTO=TCP SPT=38937 DPT=23 WINDOW=36880 RES=0x00 SYN URGP=0

Then ensure you have a background never-ending monitoring script initiated from init-start which uses 'tail -f /tmp/syslog.log' (with or without the -s parameter to reduce CPU etc.) for instant reaction such as

/jffs/scripts/SyslogEventMonitor.sh &

#!/bin/sh

# Simple Syslog event monitor

Say(){
   /usr/bin/logger -st "($(basename $0))" $$ $@
}

# Define messages/counter....
VPN0001="(VPN WAN I/P"
VPN0001_CNT=0
MSG0001="RunScript99"
MSG0001_CNT=0

# Track the message events
tail -F /tmp/syslog.log | \
 while read SYSLOG
       do
 
   case "$SYSLOG" in
         *$VPN0001*)  # Feb 17 23:00:06 RT-AC68U user.warn (VPN_Client_Switch.sh): 12924 Client 1 connected via 10.200.195.10 (VPN WAN I/P ???) (NewYork)
          # If we have two consecutive matches then restart the appropriate VPN Client
          if [ -z "$(echo $SYSLOG | grep "???")" ];then
                VPN0001_CNT=0
          else
                VPN0001_CNT=$((1+$VPN0001_CNT))
                if [ $VPN0001_CNT -eq 2 ];then
                    VPN_ID=$(echo $SYSLOG | grep -oE "Client.*connected" | cut -d" " -f2)
                    Say "VPN Client" $VPN_ID "recovery initiated....."
                    if [ -f jffs/scripts/VPN_ClientSwitch.sh ];then
                        /jffs/scripts/VPN_ClientSwitch.sh $VPN_ID
                    else
                        service restart_vpnclient$VPN_ID
                    fi
                fi
          fi
          ;;
         *$MSG0001*)  # Execute 'Script99.sh' trigger message
               /jffs/scripts/Script99.sh
               ;;
         *)
          #echo $SYSLOG
          ;;
        esac
       done


# Runs forever???
 
exit 0

 

[Juglar]

Thank you very much, Martineau, for so detailed explanation. It is not as simple as I expected, but it gives me resolved the syslog monitoring, which could also be very useful for other purposes. I hope that file processing is light enough, for a file stored in ram.

Thanks,
Juglar

 

[Martineau]

I hope that file processing is light enough, for a file stored in ram.

If you mean /tmp/syslog.log ? ....on my router I have moved Syslog physically to the USB drive

l s -lah syslog.log
lrwxrwxrwx    1 admin    root          35 May  5 20:39 syslog.log -> /tmp/mnt/RT-AC68U/Syslog/syslog.log

Spoiler: USB Syslogs

cd /mnt/`nvram get model`/Syslog;l

BOOT_Errors.txt                          syslog.log-20170416-092038-BOOT.txt      syslog.log-20170419-120619_shutdown.txt  syslog.log-20170501-210133_shutdown.txt
MyCustomActions.txt                      syslog.log-20170416-092038_shutdown.txt  syslog.log-20170419-141841-BOOT.txt      syslog.log-20170501-210245.txt
syslog.log                               syslog.log-20170416-095058-BOOT.txt      syslog.log-20170419-141841_shutdown.txt  syslog.log-20170501-211629-BOOT.txt
syslog.log-20150801-010421-BOOT.txt      syslog.log-20170416-095058_shutdown.txt  syslog.log-20170419-183044-BOOT.txt      syslog.log-20170501-211629_shutdown.txt
syslog.log-20150801-010421_shutdown.txt  syslog.log-20170416-102908-BOOT.txt      syslog.log-20170419-183044_shutdown.txt  syslog.log-20170501-213036.txt
syslog.log-20150801-010422-BOOT.txt      syslog.log-20170416-102908_shutdown.txt  syslog.log-20170419-214241-BOOT.txt      syslog.log-20170501-213042.txt
syslog.log-20150801-010422_shutdown.txt  syslog.log-20170416-110143-BOOT.txt      syslog.log-20170419-214241_shutdown.txt  syslog.log-20170501-215505-BOOT.txt
syslog.log-20150801-010423-BOOT.txt      syslog.log-20170416-110143_shutdown.txt  syslog.log-20170419-231413-BOOT.txt      syslog.log-20170501-215505_shutdown.txt
syslog.log-20150801-010423_shutdown.txt  syslog.log-20170416-120827-BOOT.txt      syslog.log-20170419-231413_shutdown.txt  syslog.log-20170502-100607.txt
syslog.log-20170412-075703-BOOT.txt      syslog.log-20170416-120827_shutdown.txt  syslog.log-20170420-205615-BOOT.txt      syslog.log-20170502-101507-BOOT.txt
syslog.log-20170412-075703_shutdown.txt  syslog.log-20170416-142620-BOOT.txt      syslog.log-20170420-205615_shutdown.txt  syslog.log-20170502-101507_shutdown.txt
syslog.log-20170412-110313-BOOT.txt      syslog.log-20170416-142620_shutdown.txt  syslog.log-20170422-151008-BOOT.txt      syslog.log-20170502-113008-BOOT.txt
syslog.log-20170412-110313_shutdown.txt  syslog.log-20170416-144840-BOOT.txt      syslog.log-20170422-151008_shutdown.txt  syslog.log-20170502-113008_shutdown.txt
syslog.log-20170412-190637-BOOT.txt      syslog.log-20170416-144840_shutdown.txt  syslog.log-20170422-154317-BOOT.txt      syslog.log-20170503-105108-BOOT.txt
syslog.log-20170412-190637_shutdown.txt  syslog.log-20170416-151345-BOOT.txt      syslog.log-20170422-154317_shutdown.txt  syslog.log-20170503-105108_shutdown.txt
syslog.log-20170413-153222-BOOT.txt      syslog.log-20170416-151345_shutdown.txt  syslog.log-20170501-093950-BOOT.txt      syslog.log-20170503-151815.txt
syslog.log-20170413-153222_shutdown.txt  syslog.log-20170416-193000-BOOT.txt      syslog.log-20170501-093950_shutdown.txt  syslog.log-20170504-215451-BOOT.txt
syslog.log-20170413-165238-BOOT.txt      syslog.log-20170416-193000_shutdown.txt  syslog.log-20170501-094350.txt           syslog.log-20170504-215451_shutdown.txt
syslog.log-20170413-165238_shutdown.txt  syslog.log-20170417-225356-BOOT.txt      syslog.log-20170501-095841-BOOT.txt      syslog.log-20170505-062040.txt
syslog.log-20170414-082443-BOOT.txt      syslog.log-20170417-225356_shutdown.txt  syslog.log-20170501-095841_shutdown.txt  syslog.log-20170505-063505-BOOT.txt
syslog.log-20170414-082443_shutdown.txt  syslog.log-20170418-182017-BOOT.txt      syslog.log-20170501-145500-BOOT.txt      syslog.log-20170505-063505_shutdown.txt
syslog.log-20170414-150337-BOOT.txt      syslog.log-20170418-182017_shutdown.txt  syslog.log-20170501-145500_shutdown.txt  syslog.log-20170505-105005-BOOT.txt
syslog.log-20170414-150337_shutdown.txt  syslog.log-20170418-193736-BOOT.txt      syslog.log-20170501-150221-BOOT.txt      syslog.log-20170505-105005_shutdown.txt
syslog.log-20170414-204421-BOOT.txt      syslog.log-20170418-193736_shutdown.txt  syslog.log-20170501-150221_shutdown.txt  syslog.log-20170505-203916-BOOT.txt
syslog.log-20170414-204421_shutdown.txt  syslog.log-20170419-002130-BOOT.txt      syslog.log-20170501-151755-BOOT.txt      syslog.log-20170505-203916_shutdown.txt
syslog.log-20170415-005550-BOOT.txt      syslog.log-20170419-002130_shutdown.txt  syslog.log-20170501-151755_shutdown.txt
syslog.log-20170415-005550_shutdown.txt  syslog.log-20170419-120619-BOOT.txt      syslog.log-20170501-210133-BOOT.txt

 

[Juglar]

No, sorry. By "light" I was referring to execution time and CPU load. If the file were on disk, execution would probably result heavier. For space, I still have plenty of it in my router.

Thanks again.