IPTables logs analyzer FAQ

Gerald GARCIA


Table of Contents

Preface
1 General information
What is IPTables logs analyzer ?
How does IPTables logs analyzer work ?
Is there some screenshots availables ?
2 How to find, configure, install, and troubleshoot IPTables logs analyzer
Where can I get IPTables logs analyzer ?
How do I configure/compile IPTables logs analyzer ?
3 Customisation
How can I create my own stylesheet ?
How do I had personalized header/footer for generated tables ?
4 FAQ Contributions, Maintainers and Copyright

Preface

This document gathers some frequently asked questions on IPTables logs analyzer

Chapter 1. General information

This chapter gathers general information about IPTables logs analyzer

What is IPTables logs analyzer ?

IPTables log analyzer displays Linux 2.4 iptables logs (rejected, accepted, and masqueraded packets) in a nice HTML page. The reports it produces are easy to read and understand, reducing the manual analysis time. They contain statistics on packets and links to more detailed information on a given host, port, or domain.

How does IPTables logs analyzer work ?

The IPTable Log Analyzer is composed of two different and separate parts :

  • A database feeder : to read the log produced by iptable (generaly in /var/log/syslog) and store the packet in database

  • A web interface : to provide different views of the database stored packets

According to your network architecture, you can run directly the database feeder, the web interface and the database directly on the firewall, but you can chose to use existing hosts of your network as described bellow :

  • On the firewall : the database feeder

  • On a database host : MySql database

  • On a web server : PHP script of the web interface

The log analyzer is ready to receive data from different firewalls, so if your network is protected by several firewalls, you can run one database feeder on each firewall and gather information on a single database host.

Figure 1.1. Typical large installation

Figure 1.2. Typical single host installation

Is there some screenshots availables ?

Figure 1.3. Screenshot green theme

Figure 1.4. Screenshot blue theme

Chapter 2. How to find, configure, install, and troubleshoot IPTables logs analyzer

This chapter gathers install information about IPTables logs analyzer

Where can I get IPTables logs analyzer ?

Two sources :

How do I configure/compile IPTables logs analyzer ?

  • Creation of the database

    • start the mysql client (with a user with rights to create databases, here root)

      > mysql -u root -p
    • create the database (here called iptables)

      mysql> create database iptables;
    • grant the mimimun rights to a user used to create the tables and fill the database (here the user iptables_admin will connect from localhost and with password xx)

      mysql> grant create,select,insert on iptables.* to iptables_admin@localhost identified by 'xx';
    • grant select right to a user used by the php interface

      mysql> grant select on iptables.* to iptables_user@localhost identified by 'xx';
      mysql> grant create temporary tables  on iptables.* iptables_user@localhost identified by 'xx';
      	      
    • exit from the mysql client and fill the database with the contents of the file sql/db.sql (in the distribution)

      > cat db.sql | mysql -u iptables_admin -p iptables
  • Add the correct LOG rule to netfilter rules

    • a rule for logging shall be established for example (to be carefully adapted to your situation) :

      iptables -N LOG_DROP
      iptables -A LOG_DROP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP] : '
      iptables -A LOG_DROP -j DROP
      
    • when you drop packets, you should replace DROP by LOG_DROP for example :

      iptables -A INPUT -j LOG_DROP
      
    • you should check that the following king of lines apprears in your logs (/var/log/syslog for example) :

      Sep 24 21:33:56 nuage kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC= SRC=62.202.81.132 DST=193.253.186.217 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=25302 DF PROTO=TCP SPT=3795 DPT=12345 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (0204058401010402)
      
    • To specify more chains, just ajust the log-prefix option. In the previous example DROP chain is defined.

      If you use --log-prefix '[IPTABLES ACCEPT] : ' all the packets logs by this rule will be display in ACCEPT chain.

  • Install the web interface

    • Copy the files of the web directory of the directory under the document root of your web server

      cp -R web /var/www/iptables
    • Configure the config.php file according to your database settings (set correct values for user with select privilege to variables)

  • Install database feeder

    • Configure the feed_db.pl script to your database settings (set corret values for the user with select and insert privileges to variables)

    • Install the feed_db.pl script somewhere on your firewall (for example /usr/local/bin)

    • Copy the init.d script called "iptablelog" in the /etc/init.d directory (if you want to start feeder automaticaly)

    • Configure "iptablelog" script

    • start the script as root (or any user that can read the iptables logs) by :

      /etc/init.d/iptablelog start

Congratulations, you should be able to access to the index.php page where you have copied the web directory !

Chapter 3. Customisation

This chapter gathers information about customisation of the application

Warning

Need to be updated for the current version

How can I create my own stylesheet ?

Simply copy a existing style sheet (for the web/themes) directory. Then modify it and add it in the configuration file.

Example 3.1. Example of adding a new style in config file

#############################
# CSS STYLES
#############################
$css_style_default="my style";

$css_styles["default"]="iptables.css";
$css_styles["blue"]="iptables_blue.css";
$css_styles["my style"]="mystyle.css";
	

How do I had personalized header/footer for generated tables ?

For the moment, there is no easy way to do this. The best way to add custom header and footer is to edit the elems.php.

Chapter 4. FAQ Contributions, Maintainers and Copyright

If you would like to make a contribution to the FAQ, send either one of us an e-mail message with the exact text you think should be included (question and answer). With your help, this document can grow and become more useful!

This document is maintained by Gerald GARCIA <gege@gege.org>.

This FAQ is Copyright (C) 2002 by Gerald GARCIA.

Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies.

Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that this copyright notice is included exactly as in the original, and that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.

Permission is granted to copy and distribute translations of this document into another language, under the above conditions for modified versions.

If you are intending to incorporate this document into a published work, please contact one of the maintainers, and we will make an effort to ensure that you have the most up to date information available.

There is no guarentee that this document lives up to its intended purpose. This is simply provided as a free resource. As such, the authors and maintainers of the information provided within can not make any guarentee that the information is even accurate.

These chapter is a copy of the one found in the GTK FAQ (http://www.gtk.org/faq)