[Logwatch-Devel] iptables, fwbuilder

Kenneth Porter shiva@well.com
13 May 2002 14:52:37 -0700

Has anyone done some work to add iptables filters to logwatch? I've just
converted my ipchains rules to iptables and of course I no longer get
firewall probe reports in the nightly report.

I'm using a firewall built by fwbuilder (http://www.fwbuilder.org/). It
allows one to specify the log message to prefix each rule match with.
All matches jump to some chain that logs the match and then performs an
accept/reject/drop. The default log prefix comprises the "rule number"
from fwbuilder and the action.

Perhaps someone could help with with regexps to collect the log lines. I
can then cook up some logic to aggregate them.

Here's an example for TCP:

May 13 00:28:46 obi-wan kernel: RULE 8 -- Deny IN=eth1 OUT=
MAC=00:03:47:6b:c3:4f:00:10:67:00:b1:be:08:00 SRC=
DST= LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=27629 DF
PROTO=TCP SPT=3404 DPT=27374 WINDOW=8192 RES=0x00 SYN URGP=0 

Here's one for UDP:

May 13 14:14:39 obi-wan kernel: RULE 4 -- Deny IN=eth0 OUT=eth0
SRC= DST= LEN=261 TOS=0x00 PREC=0x00 TTL=127
ID=18046 PROTO=UDP SPT=138 DPT=138 LEN=241 

Here's one for ICMP:

May 13 14:32:38 obi-wan kernel: RULE 4 -- Deny IN=eth0 OUT=eth0
SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=51904 PROTO=ICMP TYPE=0 CODE=0 ID=768 SEQ=9728 

It appears that all 3 examples end with a single space.