Configuring IPtables

IPtables is a powerful tool, which is used to create rules on the Linux® kernel firewall for routing traffic.

About this task

To configure IPtables, you must examine the existing rules, modify the rule to log the event, and assign a log identifier to your IPtables rule that can be identified by IBM® QRadar®. This process is used to determine which rules are logged by QRadar. QRadar includes any logged events that include the words: accept, drop, reject, or deny in the event payload.

Procedure

  1. Using SSH, log in to your Linux Server as a root user.
  2. Edit the IPtables file in the following directory:

    /etc/iptables.conf

    Note: The file that contains the IPtables rules can vary according to the specific Linux operating system you are configuring. For example, a system using Red Hat Enterprise has the file in the /etc/sysconfig/iptables directory. Consult your Linux operating system documentation for more information about configuring IPtables.
  3. Review the file to determine the IPtables rule you want to log.

    For example, if you want to log the rule that is defined by the entry, use:

    -A INPUT -i eth0 --dport 31337 -j DROP

  4. Insert a matching rule immediately before each rule you want to log:

    -A INPUT -i eth0 --dport 31337 -j DROP

    -A INPUT -i eth0 --dport 31337 -j DROP

  5. Update the target of the new rule to LOG for each rule you want to log,For example:

    -A INPUT -i eth0 --dport 31337 -j LOG

    -A INPUT -i eth0 --dport 31337 -j DROP

  6. Set the log level of the LOG target to a SYSLOG priority level, such as info or notice:

    -A INPUT -i eth0 --dport 31337 -j LOG --log-level info

    -A INPUT -i eth0 --dport 31337 -j DROP

  7. Configure a log prefix to identify the rule behavior. Set the log prefix parameter to :

    Q1Target=<rule>

    Where <rule> is one of the following IPtable firewall actions: fw_accept, fw_drop, fw_reject, or fw_deny.

    For example, if the rule that is logged by the firewall targets dropped events, the log prefix setting is:

    Q1Target=fw_drop

    -A INPUT -i eth0 --dport 31337 -j LOG --log-level info --log-prefix "Q1Target=fw_drop " -A INPUT -i eth0 --dport 31337 -j DROP
    Note: You must have a trailing space before the closing quotation mark.
  8. Save and exit the file.
  9. Restart IPtables using the following command:

    /etc/init.d/iptables restart

  10. Open the syslog.conf file.
  11. Add the following line:

    kern.<log level>@<IP address>

    Where:

    • <log level> is the previously set log level.
    • <IP address> is the IP address of QRadar.
  12. Save and exit the file.
  13. Restart the syslog daemon by using the following command:

    /etc/init.d/syslog restart

    After the syslog daemon restarts, events are forwarded to QRadar. IPtable events that are forwarded from Linux Servers are automatically discovered and displayed in the Log Activity tab of QRadar.