Linux Iptables
Rule Function
Iptables is the basic firewall functionality built into linux. It is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.
Note that this rule can also be used with linux Uncomplicated Firewall (UFW). UFW is a wrapper on top of Iptables to make Iptables configuration and administration easier.
The purpose of this rule is to set user tags various user tags for the fields in the Iptables log messages.
Vendor Documentation
- iptables(8) - Linux man page
- UFW (expanded iptables implementation)
Incoming Log Format
The log format is comprised of space-separated fields, most of which are in the form of key=value
. These fields are listed in the next section. This log message is logged as a linux kernel message (or in some cases produced by certain network devices).
User Tags
Tagged | Tag Name | Field Name | Example | Description |
---|---|---|---|---|
☑ | IntIn |
IN |
eth0 |
incoming network interface |
☑ | IntOut |
OUT |
eth0 |
outgoing network interface |
☑ | MAC |
MAC |
4a:2a:b8:8e:09:87:fe:00:00:00:01:01:08:00 |
interface MAC address |
☑ | SrcIP |
SRC |
185.153.196.126 |
source IP address |
☑ | DstIP |
DST |
134.122.74.164 |
destination IP address |
☑ | Protocol |
PROTO |
TCP |
network protocol |
SPT |
50369 |
source IP port | ||
☑ | DstPort |
DPT |
110 |
dest IP port |
LEN |
40 |
length of the packet | ||
TOS |
0x00 |
"TOS" field of the IP packet header | ||
PREC |
0x00 |
"precedence" field of the IP packet header | ||
TTL |
246 |
packet time-to-live | ||
ID |
57949 |
ufw/os internal id | ||
WINDOW |
1024 |
size of packet the sender is willing to receive | ||
RES |
0x00 |
reserved for future use, always 0 | ||
SYN URGP |
0 |
two parts: 1) whether connection requires 3-way-handshake; 2) whether urgent field is relevant |
Lua User Tag Map
USERTAGS_MAP = {
IN = "IntIn",
OUT = "IntOut",
MAC = "MAC",
SRC = "SrcIP",
DST = "DstIP",
PROTO = "Protocol",
SPT = "SrcPort",
DPT = "DstPort",
}
HC Tags
Field Notes
MAC
This provides a 14-byte combination of the Destination MAC, Source MAC, and EtherType fields, following the order found in the Ethernet II header.
SRC
(and DST
)
This indicates the source IP, who sent the packet initially (or in the case of DST
the recipient). Some IPs are routable over the internet, some will only communicate over a LAN, and some will only route back to the source computer.
PROTO
This field will mainly be one of: TCP
, UDP
, ICMP
.
Log Examples
Packet blocked by firewall
IN=eth0 OUT= MAC=4a:2a:b8:8e:09:87:fe:00:00:00:01:01:08:00 SRC=11.22.33.44 DST=55.66.77.88 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=57949 PROTO=TCP SPT=50369 DPT=110 WINDOW=1024 RES=0x00 SYN URGP=0