summary

A suite of awk and bash scripts to analyse iptables firewall log files and summarise data is a plain text presentation. See: junkshow to view summary of this machine's firewall activity, the about page has some general documentation about the project and some brief information about the author.

download

archive
grab the latest tarball to see files not live-linked in this section, these scripts and example files are copyrighted material licensed under version 2 of the GPL.

files

readme
the README file, project background documentation on the about page.
junkshow
cron job example: bash script called by cron each hour to produce iptables analysis data for the junkshow web page. Example root crontab entry:

# run junkshow at 3 past each hour
3 * * * * /usr/local/bin/junkshow > /dev/null
#
junkview
awk program to create summary data from log files — stable. Standalone operation is back. Documentation is patchy, see the README, header comments in junkview and also junkview.conf commentary. A tutorial is planned, discussing interaction of iptables logger and junkview.
junkview.conf
junkview suite configuration example
install
run install as root, the install process writes an uninstall script to /usr/local/sbin/junkview-uninstall.sh
rc.junkview
bash start|stop|restart script for the optional ip2c-server
ip2cn-server
database server daemon that speeds up junkview ad-hoc queries by eliminating the database load delay. New ip2cn-server is written in perl and uses a sockets interface so access locking is no longer required. See the ip2cn-server page for more information.
ccfind
bash script to query ip2cn-server
junkview-update-database
bash script to acquire the required data source files
pre-filter
bash script to select and stream a bunch of logfiles into junkview, for example, use this filter to provide a report for the last three month's firewall activity: 

# pre-filter -90 |junkview
ip2c-names
a country code to country name lookup table, compiled from various sources
a little ditty to see what's in the 'recent' list
for those exploiting iptables --recent filter with the classify-text example, try:
$ for x in /proc/net/ipt_recent/*; do echo $(basename $x); cat $x; done

data sources

http://software77.net/
Provides a CIDR block to country database used with junkview until late 2007 when we changed to sourcing the data direct from the six regional registries: afrinic, apnic, arin, iana, lacnic and ripe.
ftp://bugsplatter.id.au/junkview/junkview-data.tar.lzma
Database download for junkview now available, this version has non-allocated and unassigned (bogon) block information. Using lzma compression because otherwise the tarball is too large to host from this site (the data tarball is more than twice the size when bzip2 compression is used).
Includes the ip2c-data and ip2c-names files, an ER diagram is shown on the firewall tools page.
lzma compression tools
lzma compression is known in the windows world as 7zip, see the firewall tools page for links to download lzma tools.