Michael Rash, Security Researcher

psad iptables Policy Configuration

The main requirement for an iptables policy to be compatible with psad is simply that iptables logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG
The rules above should be added at the end of the INPUT and FORWARD chains after all ACCEPT rules for legitimate traffic and just before a corresponding DROP rule for traffic that is not to be allowed through the policy. Note that iptables policies can be quite complex with protocol, network, port, and interface restrictions, user defined chains, connection tracking rules, and much more. There are many pieces of software such as Shorewall and Firewall Builder, that build iptables policies and take advantage of the advanced filtering and logging capabilities offered by iptables. Generally the policies built by such pieces of software are compatible with psad since they specifically add rules that instruct iptables to log packets that are not part of legitimate traffic. Psad can be configured to only analyze those iptables messages that contain specific log prefixes (which are added via the --log-prefix option), but the default as of version 1.3.2 is for psad to analyze all iptables log messages for port scans, probes for backdoor programs, and other suspect traffic. See the list of features offered by psad for more information.

By default, psad just parses the /var/log/messages file where iptables writes log data via klogd. If your system send iptables log data to a different file, you can set this via the IPT_SYSLOG_FILE variable in the /etc/psad/psad.conf file. Some older versions of psad used a different strategy for acquiring iptables log data by reconfiguring syslog to write all messages to a named pipe that is setup by psad. Although psad still supports this, it should be considered deprecated. The default is to set ENABLE_SYSLOG_FILE to "Y" in the psad.conf file, which tells psad to just parse /var/log/messages directly.

More information on psad configuration can be found within the syslog configuration guide.