Linux Iptables

Rule Function

Iptables is the basic firewall functionality built into linux. It is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.

Note that this rule can also be used with linux Uncomplicated Firewall (UFW). UFW is a wrapper on top of Iptables to make Iptables configuration and administration easier.

The purpose of this rule is to set user tags various user tags for the fields in the Iptables log messages.

Vendor Documentation

iptables(8) - Linux man page
UFW (expanded iptables implementation)

Incoming Log Format

The log format is comprised of space-separated fields, most of which are in the form of key=value. These fields are listed in the next section. This log message is logged as a linux kernel message (or in some cases produced by certain network devices).

User Tags

Tagged	Tag Name	Field Name	Example	Description
☑	`IntIn`	`IN`	`eth0`	incoming network interface
☑	`IntOut`	`OUT`	`eth0`	outgoing network interface
☑	`MAC`	`MAC`	`4a:2a:b8:8e:09:87:fe:00:00:00:01:01:08:00`	interface MAC address
☑	`SrcIP`	`SRC`	`185.153.196.126`	source IP address
☑	`DstIP`	`DST`	`134.122.74.164`	destination IP address
☑	`Protocol`	`PROTO`	`TCP`	network protocol
		`SPT`	`50369`	source IP port
☑	`DstPort`	`DPT`	`110`	dest IP port
		`LEN`	`40`	length of the packet
		`TOS`	`0x00`	"TOS" field of the IP packet header
		`PREC`	`0x00`	"precedence" field of the IP packet header
		`TTL`	`246`	packet time-to-live
		`ID`	`57949`	ufw/os internal id
		`WINDOW`	`1024`	size of packet the sender is willing to receive
		`RES`	`0x00`	reserved for future use, always 0
		`SYN URGP`	`0`	two parts: 1) whether connection requires 3-way-handshake; 2) whether urgent field is relevant

Lua User Tag Map

USERTAGS_MAP = {  
    IN = "IntIn",  
    OUT = "IntOut",  
    MAC = "MAC",  
    SRC = "SrcIP",  
    DST = "DstIP",  
    PROTO = "Protocol",  
    SPT = "SrcPort",  
    DPT = "DstPort",  
}

HC Tags

HC_TAGS={
    "SrcIP",
    "DstIP",
    "MAC",
    "SrcIP to DstIP",
    "SrcIP to Port"
}

Field Notes

`MAC`

This provides a 14-byte combination of the Destination MAC, Source MAC, and EtherType fields, following the order found in the Ethernet II header.

`SRC` (and `DST`)

This indicates the source IP, who sent the packet initially (or in the case of DST the recipient). Some IPs are routable over the internet, some will only communicate over a LAN, and some will only route back to the source computer.

`PROTO`

This field will mainly be one of: TCP, UDP, ICMP.

Log Examples

Packet blocked by firewall IN=eth0 OUT= MAC=4a:2a:b8:8e:09:87:fe:00:00:00:01:01:08:00 SRC=11.22.33.44 DST=55.66.77.88 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=57949 PROTO=TCP SPT=50369 DPT=110 WINDOW=1024 RES=0x00 SYN URGP=0