PREVIOUS Box (PC/Server)

NEXT box.stat

box.iptables

The events coming from the logs generated by Linux iptables firewall are labeled with the box.iptables tag.

When a package matches the rule, then you can configure as a rule level, the sending to the local syslog machine.

When registering the event, iptables allow to configure two parameters: 

  • Syslog level: syslog level where the event will be registered (--log-level parameter).
  • Prefix: Adds a prefix (up to 29 characters) to give a brief description of the rule meaning (--log-prefix parameter) (e.g.  Default Drop, Accept www, Drop DMZ1 SSH, etc).

Log prefix

It is recommended to include an additional prefix indicating whether it is an input or output package, if the package has been accepted or denied, etc.

Make sure you add the prefix " IPTABLES " (keep the space at the end) to all the rules you want to log.

Prefixes examples (always keeping the final space):

  • "IPTABLES ACCEPT INPUT "
  • "IPTABLES ACCEPT OUTPUT "
  • "IPTABLES DENY INPUT "
  • "IPTABLES DENY OUTPUT "
  • "IPTABLES DENY FORWARD "

Firewall policy example

See below a firewall with iptables policy example where:

  • the outgoing traffic is allowed
  • the incoming traffic is denied (except SSH and PING)
  • both, accepted and denied packages, are accepted

Basic IPTABLES policiy

#!/bin/bash
IPTABLES=/sbin/iptables
 
 
# Delete previous fw config
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
 
 
# Default log accept CHAIN
$IPTABLES -N logaccept
$IPTABLES -N logacceptOutput
$IPTABLES -A logaccept -j LOG --log-prefix "IPTABLES ACCEPT INPUT "
$IPTABLES -A logaccept -j ACCEPT
$IPTABLES -A logacceptOutput -j LOG --log-prefix "IPTABLES ACCEPT OUTPUT "
$IPTABLES -A logacceptOutput -j ACCEPT
 
 
# Stateful rules
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 
# Allow local traffic
$IPTABLES -A INPUT -i lo   -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT
 
 
# Allow outbound traffic
$IPTABLES -A OUTPUT -m state --state NEW -j logacceptOutput
 
 
# Allow inbound traffic
# Remote SSH access
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j logaccept
# Allow PING (ICMP ECHO)
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j logaccept
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request   -j logaccept
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j logaccept
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply   -j logaccept
 
 
# Default log & deny rule for any traffic not allowed before
##################
# DEFAULT POLICY #
##################
# Default log & deny rule for any traffic not allowed before
$IPTABLES -A INPUT -j LOG --log-level info --log-prefix "IPTABLES DENY INPUT "
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j LOG --log-level info --log-prefix "IPTABLES DENY OUTPUT "
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "IPTABLES DENY FORWARD "
$IPTABLES -A FORWARD -j DROP

rsyslog configuration

The logging parameters provided by iptables allow to add a prefix to the message or choose the message syslog level, but it doesn't allow to define a syslog tag.

To tag the log as box.iptable and send it to Devo, please use the below rsyslog configuration file.

Note that you have to replace LOGTRUST-RELAY and PORT with your Devo relay server and port.

/etc/rsyslog.d/40-iptables.conf File

$template iptables,"<%PRI%>%timegenerated% %HOSTNAME% box.iptables.kernel: %msg%"
 
 
# SSL config for logtrust secure relay
#$DefaultNetstreamDriver gtls # use gtls netstream driver
#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt
#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt
#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key
#$ActionSendStreamDriverMode 1 # require TLS for the connection
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer collector
 , 
 
:msg, startswith, "IPTABLES " @@LOGTRUST-RELAY:PORT;iptables
& ~
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] IPTABLES " @@LOGTRUST-RELAY:PORT;iptables
& ~

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US

PREVIOUS Box (PC/Server)

NEXT box.stat