box.iptables

Linux iptables firewall log events are labeled with tags that start with box.iptables. We recommend using rsyslog to send iptables events securely to Devo.

The iptables rules for logging let you append a prefix of up to 29 characters to events using the log-prefix option. This prefix can be used to identify the specific types of log events that you want to collect and send to Devo.

Recommended event prefix

You may use any prefix naming policy you choose for identifying events. However, we propose a simple policy in which all events are prefixed with IPTABLES, followed by the action taken (ACCEPT or DENY) and the chain (INPUT, OUTPUT or FORWARD).

Here are examples of prefixes that use this policy (the space at the end of the prefix is important):

"IPTABLES ACCEPT INPUT "
"IPTABLES ACCEPT OUTPUT "
"IPTABLES DENY INPUT "
"IPTABLES DENY OUTPUT "
"IPTABLES DENY FORWARD "

We use this prefix policy in the examples below.

iptables sample rules script

This is a script that implements an iptables policy example where the outbound traffic is allowed and incoming traffic is denied (excepting SSH and PING). The script uses the log-prefix option to apply the prefixes that clearly identify the types of events that are logged.

Script containing firewall rules

#!/bin/bash
IPTABLES=/sbin/iptables
 
# Delete previous fw config
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
 
# Default log accept CHAIN
$IPTABLES -N logaccept
$IPTABLES -N logacceptOutput
$IPTABLES -A logaccept -j LOG --log-prefix "IPTABLES ACCEPT INPUT "
$IPTABLES -A logaccept -j ACCEPT
$IPTABLES -A logacceptOutput -j LOG --log-prefix "IPTABLES ACCEPT OUTPUT "
$IPTABLES -A logacceptOutput -j ACCEPT
 
# Stateful rules
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow local traffic
$IPTABLES -A INPUT -i lo   -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT -o lo   -m state --state NEW  -j ACCEPT
 
# Allow outbound traffic
$IPTABLES -A OUTPUT -m state --state NEW -j logacceptOutput
 
# Allow inbound traffic
# Remote SSH access
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j logaccept
# Allow PING (ICMP ECHO)
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j logaccept
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request   -j logaccept
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j logaccept
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply   -j logaccept
 
# Default log & deny rule for any traffic not allowed before
##################
# DEFAULT POLICY #
##################
# Default log & deny rule for any traffic not allowed before
$IPTABLES -A INPUT -j LOG --log-level info --log-prefix "IPTABLES DENY INPUT "
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j LOG --log-level info --log-prefix "IPTABLES DENY OUTPUT "
$IPTABLES -A OUTPUT -j DROP
$IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "IPTABLES DENY FORWARD "
$IPTABLES -A FORWARD -j DROP

rsyslog configuration

To tag the log as box.iptable and send it to Devo, use the below rsyslog configuration file.

To send log events directly to Devo, edit and uncomment the SSL config section of the file and set DEVO-RELAY to XX.elb.relay.logtrust.net (where XX corresponds to your cloud region) and PORT 443.
To send logs to the Devo relay for forwarding, leave the SSL section commented and set DEVO-RELAY to the IP address of the relay and PORT 13000.

/etc/rsyslog.d/40-iptables.conf File

$template iptables,"<%PRI%>%timegenerated% %HOSTNAME% box.iptables.kernel: %msg%"
 
# SSL config for secure sending to DEVO
#$DefaultNetstreamDriver gtls 									# use gtls netstream driver
#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/CHAIN.crt
#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/DOMAIN.crt
#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/DOMAIN.key
#$ActionSendStreamDriverMode 1 									# require TLS for the connection
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer XX.elb.relay.logtrust.net		# Devo Cloud (replace XX with eu, us, or es)
 , 
 
:msg, startswith, "IPTABLES " @@DEVO-RELAY:PORT;iptables
& ~
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] IPTABLES " @@DEVO-RELAY:PORT;iptables
& ~

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as ap.cisco. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Linux iptables	`box.iptables.kernel`	`box.iptables`
Linux iptables	`box.iptables`	`box.iptables`

Table structure

These are the fields displayed in this table:

box.iptables

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`	vmachine
stamp	`float8`
logprefix	`str`
ifaceIn	`str`
ifaceOut	`str`
srcMac	`str`
dstMac	`str`
etherType	`str`
srcIp	`ip4`
dstIp	`ip4`
len	`int4`
tos	`int4`
prec	`int4`
ttl	`int4`
id	`int8`
frag	`int4`
opt	`str`
ceFlag	`bool`
dfFlag	`bool`
mfFlag	`bool`
proto	`str`
spt	`int4`
dpt	`int4`
seq	`int8`
ack	`int8`
window	`int4`
res	`int4`
urgp	`int4`
urgFlag	`bool`
ackFlag	`bool`
pshFlag	`bool`
rstFlag	`bool`
synFlag	`bool`
finFlag	`bool`
protoOpt	`str`
protoLen	`int4`
icmpType	`int4`
icmpCode	`int4`
icmpId	`int4`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓