The Linux IPtables DSM for JSA accepts firewall IPtables events by using syslog.
JSA records all relevant from Linux IPtables where the syslog event contains any of the following words: Accept, Drop, Deny, or Reject. Creating a customized log prefix in the event payload enables JSA to easily identify IPtables behavior.
IPtables is a powerful tool, which is used to create rules on the Linux kernel firewall for routing traffic.
To configure IPtables, you must examine the existing rules, modify the rule to log the event, and assign a log identifier to your IPtables rule that can be identified by JSA. This process is used to determine which rules are logged by JSA. JSA includes any logged events that include the words: accept, drop, reject, or deny in the event payload.
- Using SSH, log in to your Linux Server as a root user.
- Edit the IPtables file in the following directory:
The file that contains the IPtables rules can vary according to the specific Linux operating system you are configuring. For example, a system using Red Hat Enterprise has the file in the
/etc/sysconfig/iptablesdirectory. Consult your Linux operating system documentation for more information about configuring IPtables.
- Review the file to determine the IPtables rule you want
For example, if you want to log the rule that is defined by the entry, use:
-A INPUT -i eth0 --dport 31337 -j DROP
- Insert a matching rule immediately before each rule you
want to log:
-A INPUT -i eth0 --dport 31337 -j DROP -A INPUT -i eth0 --dport 31337 -j DROP
- Update the target of the new rule to LOG for each rule
you want to log,For example:
-A INPUT -i eth0 --dport 31337 -j LOG -A INPUT -i eth0 --dport 31337 -j DROP
- Set the log level of the LOG target to a SYSLOG priority
level, such as info or notice:
-A INPUT -i eth0 --dport 31337 -j LOG --log-level info -A INPUT -i eth0 --dport 31337 -j DROP
- Configure a log prefix to identify the rule behavior.
Set the log prefix parameter to :
Where <rule> is one of the following: fw_accept, fw_drop, fw_reject, or fw_deny.
For example, if the rule that is logged by the firewall targets dropped events, the log prefix setting is:
-A INPUT -i eth0 --dport 31337 -j LOG --log-level info --log-prefix "Q1Target=fw_drop " -A INPUT -i eth0 --dport 31337 -j DROP
You must have a trailing space before the closing quotation mark.
- Save and exit the file.
- Restart IPtables using the following command:
- Open the
- Add the following line:
kern.<log level>@<IP address>
<log level> is the previously set log level.
<IP address> is the IP address of JSA.
- Save and exit the file.
- Restart the syslog daemon by using the following command:
After the syslog daemon restarts, events are forwarded to JSA. IPtable events that are forwarded from Linux Servers are automatically discovered and displayed in the Log Activity tab of JSA.
Syslog Log Source Parameters for Linux IPtables
If JSA does not automatically detect the log source, add a Linux IPtables log source on the JSA Console by using the Syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from Linux IPtables:
Table 1: Syslog Log Source Parameters for the Linux IPtables DSM
Log Source type
Linux IPtables Firewall
Log Source Identifier
Type the IP address or host name for the log source as an identifier for events from your Linux IPtables firewall.