#!/bin/sh

us="$1"

hoist() {
    iptables -t nat -A PREROUTING -p tcp -s "$1" --dport "$2" \
        -j LOG --log-prefix "hoist: " --log-level debug
    iptables -t nat -A PREROUTING -p tcp -s "$1" --dport "$2" \
        -j DNAT --to-destination "$1:$2"
    iptables -t nat -A POSTROUTING -p tcp -s "$1" \
        -j SNAT --to-source "$us"
}

match() {
    echo "$*" | grep -qi 'invalid user [^ ]\+ from \([0-9\.]\+\)' || \
    echo "$*" | grep -qi 'failed password for root from \([0-9\.]\+\)';
}

IFS=''
tail -n 5 --follow=name --retry /var/log/auth.log | \
while read LINE; do
    if match "$LINE"; then
        ip=`echo "$LINE" | sed 's/^.*from \([0-9\.]\+\).*$/\1/'`
        echo "`date`: $ip ($LINE)" >> /var/log/petard.log
        hoist "$ip" 22
    fi
done