iptables-parser/Readme.md
2023-10-27 00:52:12 +07:00

1.7 KiB

Iptables Log parser

Features

Parse IPtables

...

Plot

  • Plotly ( HTML return )
  • Plotly Dash ( Interactive )

How To

Setup

  1. Enable the custom logging template on /etc/rsyslog.conf as follows.

    template(name="MyIptablesTimestampFormat" type="string" string="tstamp=%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")
    if $msg startswith 'iptables:' then {
        action(type="omfile" file="/var/log/iptables.log" template="MyIptablesTimestampFormat")
        stop
    }
    
  2. Make sure your iptables rules are inline with the condition you use on rsyslog.conf. As example my iptables log file starts with iptables: string so my rsyslog.conf condition is ...startswith 'iptables:'....

    iptables -A FORWARD -s 10.30.1.94/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Vsphere "
    iptables -A FORWARD -s 10.30.1.70/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: RHEL "
    iptables -A FORWARD -s 10.30.1.52/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Odoo "
    iptables -A FORWARD -s 10.30.1.105/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: OPNsense "
    

Build

mkdir lib
#Compile the library
make parse_lib.so

Execute

 ./wrapper.py

Structure

wrapper.py

Reads, iptables.log and calls the lib/parser_lib.so. Feed the parser library with lines from iptables log.

lib/parser_lib.so

Process the sed like operation on the line by line feeded by wrapper.py.

Current parsed values are :

  • TimeStamp
  • Source IP
  • Destination IP
  • Packet Length
  • Interface IN
  • Interface OUT
  • Protocol