csf dynamic iptable logging

[matthewdavis]

I was looking for a way to use something other than the iptables analyzer (fwlogwatch) that csf provides. I found http://www.gege.org/iptables/ This allowed for multiple systems to populate a single db and pull reports from that db (search by port, by host, top offending hosts, etc). I found it was much easier to hack csf's code to match up with what iptables_logger expected. So provided below are the steps I took to allow for you to specify the --log-prefix csf uses.

1 - Add the following to csf.conf, as these are where you define what is written to syslog:

TCP_IN_LOG_TEXT = "'[IPTABLES TCP_IN] '"
TCP_OUT_LOG_TEXT = "'[IPTABLES TCP_OUT] '"
UDP_IN_LOG_TEXT = "'[IPTABLES UDP_IN] '"
UDP_OUT_LOG_TEXT = "'[IPTABLES UDP_OUT] '"
ICMP_IN_LOG_TEXT = "'[IPTABLES ICMP_IN] '"
ICMP_OUT_LOG_TEXT = "'[IPTABLES ICMP_OUT] '"
BLOCK_LIST_TEXT = "'[IPTABLES BLOCK_LIST] '"

2 - Apply the following patch to csf.pl.

--- csf.pl.orig 2006-11-12 02:52:05.000000000 -0500
+++ csf.pl      2006-11-12 02:24:09.000000000 -0500
@@ -169,13 +169,13 @@
                        &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -m limit --limit 30/m --limit-burst 5 -j ULOG --ulog-nlgroup 1 --ulog-prefix 'ConfigServer Firewall'");
                        if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j ULOG --ulog-nlgroup 1 --ulog-prefix 'IP Block List'");}
                } else {
-                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p tcp -i $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '");
-                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p tcp -o $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_OUT Blocked* '");
-                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p udp -i $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *UDP_IN Blocked* '");
-                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p udp -o $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *UDP_OUT Blocked* '");
-                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p icmp -i $config{ETH_DEVICE} -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *ICMP_IN Blocked* '");
-                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p icmp -o $config{ETH_DEVICE} -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *ICMP_OUT Blocked* '");
-                       if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *BLOCK_LIST* '");}
+                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p tcp -i $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{TCP_IN_LOG_TEXT}");
+                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p tcp -o $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{TCP_OUT_LOG_TEXT}");
+                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p udp -i $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{UDP_IN_LOG_TEXT}");
+                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p udp -o $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{UDP_OUT_LOG_TEXT}");
+                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p icmp -i $config{ETH_DEVICE} -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{ICMP_IN_LOG_TEXT}");
+                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p icmp -o $config{ETH_DEVICE} -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{ICMP_OUT_LOG_TEXT}");
+                       if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{BLOCK_LIST_TEXT}");}
                }
        }
        if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -j DROP");}

This doesn't break fwlogwatch, as fwlogwatch doesn't care what the --log-prefix is. But iptables_logger does. Maybe this will be helpful in using other firewall scripts too. I'll also see if chirpy thinks this would be reasonable to include in the main csf distro.

 

[matthewdavis]

btw, if you don't know what csf is: http://www.configserver.com/cp/csf.html

 

[chirpy]

Thanks for this. I did look at that stats logger but decided on the more simplistic approach with fwlogwatch. I'll look at including your instructions in the documentation and the mod into the base code for the lag prefixes