The Linux IPtables DSM for JSA accepts firewall IPtables events by using syslog.
JSA records all relevant from Linux IPtables where the syslog event contains any of the following words: Accept, Drop, Deny, or Reject. Creating a customized log prefix in the event payload enables JSA to easily identify IPtables behavior.
IPtables is a powerful tool, which is used to create rules on the Linux kernel firewall for routing traffic.
To configure IPtables, you must examine the existing rules, modify the rule to log the event, and assign a log identifier to your IPtables rule that can be identified by JSA. This process is used to determine which rules are logged by JSA. JSA includes any logged events that include the words: accept, drop, reject, or deny in the event payload.
- Using SSH, log in to your Linux Server as a root user.
- Edit the IPtables file in the following directory:
The file that contains the IPtables rules can vary according to the specific Linux operating system you are configuring. For example, a system using Red Hat Enterprise has the file in the
/etc/sysconfig/iptablesdirectory. Consult your Linux operating system documentation for more information about configuring IPtables.
- Review the file to determine the IPtables rule you want
For example, if you want to log the rule that is defined by the entry, use:
-A INPUT -i eth0 --dport 31337 -j DROP
- Insert a matching rule immediately before each rule you
want to log:
-A INPUT -i eth0 --dport 31337 -j DROP -A INPUT -i eth0 --dport 31337 -j DROP
- Update the target of the new rule to LOG for each rule
you want to log,For example:
-A INPUT -i eth0 --dport 31337 -j LOG -A INPUT -i eth0 --dport 31337 -j DROP
- Set the log level of the LOG target to a SYSLOG priority
level, such as info or notice:
-A INPUT -i eth0 --dport 31337 -j LOG --log-level info -A INPUT -i eth0 --dport 31337 -j DROP
- Configure a log prefix to identify the rule behavior.
Set the log prefix parameter to :
Where <rule> is one of the following: fw_accept, fw_drop, fw_reject, or fw_deny.
For example, if the rule that is logged by the firewall targets dropped events, the log prefix setting is:
-A INPUT -i eth0 --dport 31337 -j LOG --log-level info --log-prefix "Q1Target=fw_drop " -A INPUT -i eth0 --dport 31337 -j DROP
You must have a trailing space before the closing quotation mark.
- Save and exit the file.
- Restart IPtables using the following command:
- Open the
- Add the following line:
kern.<log level>@<IP address>
<log level> is the previously set log level.
<IP address> is the IP address of JSA.
- Save and exit the file.
- Restart the syslog daemon by using the following command:
After the syslog daemon restarts, events are forwarded to JSA. IPtable events that are forwarded from Linux Servers are automatically discovered and displayed in the Log Activity tab of JSA.
Configuring a Log Source
JSA automatically discovers and creates log sources for IPtables syslog events that are forwarded from Linux Servers. The following steps for configuring a log source are optional.
- Log in to JSA.
- Click the Admin tab.
- On the navigation menu, click Data Sources.
- Click the Log Sources icon.
- Click Add.
- In the Log Source Name field, type a name for your Linux DHCP Server.
- In the Log Source Description field, type a description for the log source.
- From the Log Source Type list, select Linux iptables Firewall.
- From the Protocol Configuration list, select Syslog.
- Configure the following values:
Table 1: Syslog Protocol Parameters
Log Source Identifier
Type the IP address or host name for the log source as an identifier for IPtables events that are forwarded from your Linux Server.
- Click Save.
- On the Admin tab, click Deploy Changes.
The configuration is complete. IPtables events that are forwarded from Linux Servers are automatically discovered and displayed in the Log Activity tab of JSA.
For more information about configuring IPtables on Linux Servers, consult the man pages or your associated Linux documentation.