Document toolboxDocument toolbox

box.iptables

Linux iptables firewall log events are labeled with tags that start with box.iptables. We recommend using rsyslog to send iptables events securely to Devo. 

The iptables rules for logging let you append a prefix of up to 29 characters to events using the log-prefix option. This prefix can be used to identify the specific types of log events that you want to collect and send to Devo.

Recommended event prefix

You may use any prefix naming policy you choose for identifying events. However, we propose a simple policy in which all events are prefixed with IPTABLES, followed by the action taken (ACCEPT or DENY) and the chain (INPUT, OUTPUT or FORWARD). 

Here are examples of prefixes that use this policy (the space at the end of the prefix is important):

  • "IPTABLES ACCEPT INPUT "

  • "IPTABLES ACCEPT OUTPUT "

  • "IPTABLES DENY INPUT "

  • "IPTABLES DENY OUTPUT "

  • "IPTABLES DENY FORWARD "

We use this prefix policy in the examples below.

iptables sample rules script

This is a script that implements an iptables policy example where the outbound traffic is allowed and incoming traffic is denied (excepting SSH and PING). The script uses the log-prefix option to apply the prefixes that clearly identify the types of events that are logged. 

Script containing firewall rules
#!/bin/bash IPTABLES=/sbin/iptables # Delete previous fw config $IPTABLES -F $IPTABLES -X $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t mangle -F $IPTABLES -t mangle -X $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT # Default log accept CHAIN $IPTABLES -N logaccept $IPTABLES -N logacceptOutput $IPTABLES -A logaccept -j LOG --log-prefix "IPTABLES ACCEPT INPUT " $IPTABLES -A logaccept -j ACCEPT $IPTABLES -A logacceptOutput -j LOG --log-prefix "IPTABLES ACCEPT OUTPUT " $IPTABLES -A logacceptOutput -j ACCEPT # Stateful rules $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow local traffic $IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT # Allow outbound traffic $IPTABLES -A OUTPUT -m state --state NEW -j logacceptOutput # Allow inbound traffic # Remote SSH access $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j logaccept # Allow PING (ICMP ECHO) $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j logaccept $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j logaccept $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j logaccept $IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j logaccept # Default log & deny rule for any traffic not allowed before ################## # DEFAULT POLICY # ################## # Default log & deny rule for any traffic not allowed before $IPTABLES -A INPUT -j LOG --log-level info --log-prefix "IPTABLES DENY INPUT " $IPTABLES -A INPUT -j DROP $IPTABLES -A OUTPUT -j LOG --log-level info --log-prefix "IPTABLES DENY OUTPUT " $IPTABLES -A OUTPUT -j DROP $IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "IPTABLES DENY FORWARD " $IPTABLES -A FORWARD -j DROP

rsyslog configuration

To tag the log as box.iptable and send it to Devo, use the below rsyslog configuration file.

  • To send log events directly to Devo, edit and uncomment the SSL config section of the file and set DEVO-RELAY to XX.elb.relay.logtrust.net (where XX corresponds to your cloud region) and PORT 443.

  • To send logs to the Devo relay for forwarding, leave the SSL section commented and set DEVO-RELAY to the IP address of the relay and PORT 13000.

/etc/rsyslog.d/40-iptables.conf File
$template iptables,"<%PRI%>%timegenerated% %HOSTNAME% box.iptables.kernel: %msg%" # SSL config for secure sending to DEVO #$DefaultNetstreamDriver gtls # use gtls netstream driver #$DefaultNetstreamDriverCAFile /etc/rsyslog.d/CHAIN.crt #$DefaultNetstreamDriverCertFile /etc/rsyslog.d/DOMAIN.crt #$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/DOMAIN.key #$ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode x509/name #$ActionSendStreamDriverPermittedPeer XX.elb.relay.logtrust.net # Devo Cloud (replace XX with eu, us, or es) , :msg, startswith, "IPTABLES " @@DEVO-RELAY:PORT;iptables & ~ :msg, regex, "^\[ *[0-9]*\.[0-9]*\] IPTABLES " @@DEVO-RELAY:PORT;iptables & ~

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as ap.cisco. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Linux iptables

box.iptables.kernel

box.iptables

box.iptables

Table structure

These are the fields displayed in this table:

box.iptables

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

vmachine

 

stamp

float8

 

 

logprefix

str

 

 

ifaceIn

str

 

 

ifaceOut

str

 

 

srcMac

str

 

 

dstMac

str

 

 

etherType

str

 

 

srcIp

ip4

 

 

dstIp

ip4

 

 

len

int4

 

 

tos

int4

 

 

prec

int4

 

 

ttl

int4

 

 

id

int8

 

 

frag

int4

 

 

opt

str

 

 

ceFlag

bool

 

 

dfFlag

bool

 

 

mfFlag

bool

 

 

proto

str

 

 

spt

int4

 

 

dpt

int4

 

 

seq

int8

 

 

ack

int8

 

 

window

int4

 

 

res

int4

 

 

urgp

int4

 

 

urgFlag

bool

 

 

ackFlag

bool

 

 

pshFlag

bool

 

 

rstFlag

bool

 

 

synFlag

bool

 

 

finFlag

bool

 

 

protoOpt

str

 

 

protoLen

int4

 

 

icmpType

int4

 

 

icmpCode

int4

 

 

icmpId

int4

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

 

✓