Linux IPtables
The Linux IPtables DSM for JSA accepts firewall IPtables events by using syslog.
JSA records all relevant from Linux IPtables where the syslog event contains any of the following words: Accept, Drop, Deny, or Reject. Creating a customized log prefix in the event payload enables JSA to easily identify IPtables behavior.
Configuring IPtables
IPtables is a powerful tool, which is used to create rules on the Linux kernel firewall for routing traffic.
To configure IPtables, you must examine the existing rules, modify the rule to log the event, and assign a log identifier to your IPtables rule that can be identified by JSA. This process is used to determine which rules are logged by JSA. JSA includes any logged events that include the words: accept, drop, reject, or deny in the event payload.
Using SSH, log in to your Linux Server as a root user.
Edit the IPtables file in the following directory:
/etc/iptables.conf
Note:The file that contains the IPtables rules can vary according to the specific Linux operating system you are configuring. For example, a system using Red Hat Enterprise has the file in the /etc/sysconfig/iptables directory. Consult your Linux operating system documentation for more information about configuring IPtables.
Review the file to determine the IPtables rule you want to log.
For example, if you want to log the rule that is defined by the entry, use:
-A INPUT -i eth0 --dport 31337 -j DROP
Insert a matching rule immediately before each rule you want to log:
-A INPUT -i eth0 --dport 31337 -j DROP
-A INPUT -i eth0 --dport 31337 -j DROP
Update the target of the new rule to LOG for each rule you want to log,For example:
-A INPUT -i eth0 --dport 31337 -j LOG
-A INPUT -i eth0 --dport 31337 -j DROP
Set the log level of the LOG target to a SYSLOG priority level, such as info or notice:
-A INPUT -i eth0 --dport 31337 -j LOG --log-level info
-A INPUT -i eth0 --dport 31337 -j DROP
-
Configure a log prefix to identify the rule behavior. Set the log prefix parameter to :
Q1Target=<rule>
Where <rule> is one of the following IPtable firewall actions: fw_accept, fw_drop, fw_reject, or fw_deny.
For example, if the rule that is logged by the firewall targets dropped events, the log prefix setting is:
Q1Target=fw_drop
-A INPUT -i eth0 --dport 31337 -j LOG --log-level info --log-prefix "Q1Target=fw_drop " -A INPUT -i eth0 --dport 31337 -j DROP
Note:You must have a trailing space before the closing quotation mark.
Save and exit the file.
Restart IPtables using the following command:
/etc/init.d/iptables restart
Open the syslog.conf file.
Add the following line:
kern.<log level>@<IP address>
Where:
<log level> is the previously set log level.
<IP address> is the IP address of JSA.
Save and exit the file.
Restart the syslog daemon by using the following command:
/etc/init.d/syslog restart
After the syslog daemon restarts, events are forwarded to JSA. IPtable events that are forwarded from Linux Servers are automatically discovered and displayed in the Log Activity tab of JSA.
Syslog Log Source Parameters for Linux IPtables
If JSA does not automatically detect the log source, add a Linux IPtables log source on the JSA Console by using the Syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from Linux IPtables:
Parameter |
Value |
---|---|
Log Source type |
Linux IPtables Firewall |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your Linux IPtables firewall. |