Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Linux IPtables

 

The Linux IPtables DSM for JSA accepts firewall IPtables events by using syslog.

JSA records all relevant from Linux IPtables where the syslog event contains any of the following words: Accept, Drop, Deny, or Reject. Creating a customized log prefix in the event payload enables JSA to easily identify IPtables behavior.

Configuring IPtables

IPtables is a powerful tool, which is used to create rules on the Linux kernel firewall for routing traffic.

To configure IPtables, you must examine the existing rules, modify the rule to log the event, and assign a log identifier to your IPtables rule that can be identified by JSA. This process is used to determine which rules are logged by JSA. JSA includes any logged events that include the words: accept, drop, reject, or deny in the event payload.

  1. Using SSH, log in to your Linux Server as a root user.
  2. Edit the IPtables file in the following directory:

    /etc/iptables.conf

    Note

    The file that contains the IPtables rules can vary according to the specific Linux operating system you are configuring. For example, a system using Red Hat Enterprise has the file in the /etc/sysconfig/iptables directory. Consult your Linux operating system documentation for more information about configuring IPtables.

  3. Review the file to determine the IPtables rule you want to log.

    For example, if you want to log the rule that is defined by the entry, use:

    -A INPUT -i eth0 --dport 31337 -j DROP

  4. Insert a matching rule immediately before each rule you want to log:

    -A INPUT -i eth0 --dport 31337 -j DROP -A INPUT -i eth0 --dport 31337 -j DROP

  5. Update the target of the new rule to LOG for each rule you want to log,For example:

    -A INPUT -i eth0 --dport 31337 -j LOG -A INPUT -i eth0 --dport 31337 -j DROP

  6. Set the log level of the LOG target to a SYSLOG priority level, such as info or notice:

    -A INPUT -i eth0 --dport 31337 -j LOG --log-level info -A INPUT -i eth0 --dport 31337 -j DROP

  7. Configure a log prefix to identify the rule behavior. Set the log prefix parameter to :

    Q1Target=<rule>

    Where <rule> is one of the following: fw_accept, fw_drop, fw_reject, or fw_deny.

    For example, if the rule that is logged by the firewall targets dropped events, the log prefix setting is:

    Q1Target=fw_drop

    Note

    You must have a trailing space before the closing quotation mark.

  8. Save and exit the file.
  9. Restart IPtables using the following command:

    /etc/init.d/iptables restart

  10. Open the syslog.conf file.
  11. Add the following line:

    kern.<log level>@<IP address>

    Where:

    • <log level> is the previously set log level.

    • <IP address> is the IP address of JSA.

  12. Save and exit the file.
  13. Restart the syslog daemon by using the following command:

    /etc/init.d/syslog restart

    After the syslog daemon restarts, events are forwarded to JSA. IPtable events that are forwarded from Linux Servers are automatically discovered and displayed in the Log Activity tab of JSA.

Syslog Log Source Parameters for Linux IPtables

If JSA does not automatically detect the log source, add a Linux IPtables log source on the JSA Console by using the Syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from Linux IPtables:

Table 1: Syslog Log Source Parameters for the Linux IPtables DSM

Parameter

Value

Log Source type

Linux IPtables Firewall

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Linux IPtables firewall.