[Logwatch-Devel] iptables, fwbuilder

Kenneth Porter shiva@well.com
13 May 2002 14:52:37 -0700


Has anyone done some work to add iptables filters to logwatch? I've just
converted my ipchains rules to iptables and of course I no longer get
firewall probe reports in the nightly report.

I'm using a firewall built by fwbuilder (http://www.fwbuilder.org/). It
allows one to specify the log message to prefix each rule match with.
All matches jump to some chain that logs the match and then performs an
accept/reject/drop. The default log prefix comprises the "rule number"
from fwbuilder and the action.

Perhaps someone could help with with regexps to collect the log lines. I
can then cook up some logic to aggregate them.

Here's an example for TCP:

May 13 00:28:46 obi-wan kernel: RULE 8 -- Deny IN=eth1 OUT=
MAC=00:03:47:6b:c3:4f:00:10:67:00:b1:be:08:00 SRC=172.128.124.210
DST=64.174.255.162 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=27629 DF
PROTO=TCP SPT=3404 DPT=27374 WINDOW=8192 RES=0x00 SYN URGP=0 

Here's one for UDP:

May 13 14:14:39 obi-wan kernel: RULE 4 -- Deny IN=eth0 OUT=eth0
SRC=223.1.1.128 DST=10.25.1.51 LEN=261 TOS=0x00 PREC=0x00 TTL=127
ID=18046 PROTO=UDP SPT=138 DPT=138 LEN=241 

Here's one for ICMP:

May 13 14:32:38 obi-wan kernel: RULE 4 -- Deny IN=eth0 OUT=eth0
SRC=192.9.200.247 DST=10.25.170.94 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=51904 PROTO=ICMP TYPE=0 CODE=0 ID=768 SEQ=9728 

It appears that all 3 examples end with a single space.