iptables Policy Configuration
The main requirement for a Netfilter policy to be compatible with psad is simply that Netfilter logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG
The rules above should be added at the end of the INPUT and FORWARD chains
after all ACCEPT rules for legitimate traffic and just before a corresponding
DROP rule for traffic that is not to be allowed through the policy. Note that
Netfilter policies can be quite complex with protocol, network, port, and
interface restrictions, user defined chains, connection tracking rules, and
much more. There are many pieces of software such as
Shorewall and
Firewall Builder, that build Netfilter
policies and take advantage of the advanced filtering and logging capabilities
offered by Netfilter. Generally the policies built by such pieces of software
are compatible with psad since they specifically add rules that instruct
Netfilter to log packets that are not part of legitimate traffic. Psad can be
configured to only analyze those Netfilter messages that contain specific
log prefixes (which are added via the --log-prefix option), but
the default as of version 1.3.2 is for psad to analyze all Netfilter log messages
for port scans, probes for backdoor programs, and other suspect traffic. See the
list of features offered by psad for more
information.
In addition, it should be noted that in order for psad to acquire Netfilter log data via the above strategy, syslog needs to be configured to write all kern.info messages to a named pipe that is setup by psad. More information on this can be found within the syslog configuration guide.
