Linux Iptables
LogZilla App Store application: Linux Iptables
Overview
Linux iptables is the standard firewall functionality built into Linux systems. It provides a user-space utility program that allows system administrators to configure IP packet filter rules for the Linux kernel firewall. The filters are organized in different tables containing chains of rules for network traffic packet handling.
App Function
The Linux iptables app extracts network security information from iptables firewall logs and creates user tags for analysis and monitoring.
Supported Firewalls:
- Linux iptables (native kernel firewall)
- Uncomplicated Firewall (UFW) - wrapper around iptables
- Any Linux firewall that generates iptables-format log messages
Vendor Documentation
Incoming Log Format
Iptables uses space-separated fields in key=value format. Log messages are
generated as Linux kernel messages or by network devices using
iptables-compatible logging format.
Parsed Metadata Fields
| Tagged | Tag Name | Field Name | Example | Description |
|---|---|---|---|---|
| ☑ | IntIn | IN | eth0 | incoming network interface |
| ☑ | IntOut | OUT | eth0 | outgoing network interface |
| ☑ | MAC | MAC | 4a:2a:b8:8e:09:87:fe:00:00:00:01:01:08:00 | interface MAC address |
| ☑ | SrcIP | SRC | 185.153.196.126 | source IP address |
| ☑ | DstIP | DST | 134.122.74.164 | destination IP address |
| ☑ | Protocol | PROTO | TCP | network protocol |
SPT | 50369 | source IP port | ||
| ☑ | DstPort | DPT | 110 | dest IP port |
LEN | 40 | length of the packet | ||
TOS | 0x00 | "TOS" field of the IP packet header | ||
PREC | 0x00 | "precedence" field of the IP packet header | ||
TTL | 246 | packet time-to-live | ||
ID | 57949 | ufw/os internal id | ||
WINDOW | 1024 | size of packet the sender is willing to receive | ||
RES | 0x00 | reserved for future use, always 0 | ||
SYN URGP | 0 | two parts: 1) whether connection requires 3-way-handshake; 2) whether urgent field is relevant |
Lua User Tag Map
jsonUSERTAGS_MAP = {
IN = "IntIn",
OUT = "IntOut",
MAC = "MAC",
SRC = "SrcIP",
DST = "DstIP",
PROTO = "Protocol",
SPT = "SrcPort",
DPT = "DstPort",
}
High-Cardinality (HC) Tags
SrcIPDstIPMACSrcIP to DstIPSrcIP to Port
Field Notes
MAC
This provides a 14-byte combination of the Destination MAC, Source MAC, and EtherType fields, following the order found in the Ethernet II header.
SRC (and DST)
This indicates the source IP, who sent the packet initially (or in the case of
DST the recipient). Some IPs are routable over the internet, some will only
communicate over a LAN, and some will only route back to the source computer.
PROTO
This field will mainly be one of: TCP, UDP, ICMP.
Log Examples
Packet Blocked by Firewall
textIN=eth0 OUT= MAC=4a:2a:b8:8e:09:87:fe:00:00:00:01:01:08:00 SRC=11.22.33.44 DST=55.66.77.88 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=57949 PROTO=TCP SPT=50369 DPT=110 WINDOW=1024 RES=0x00 SYN URGP=0