psad iptables Policy Configuration
The main requirement for an iptables policy to be compatible with psad is simply that iptables logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG
The rules above should be added at the end of the INPUT and FORWARD chains
after all ACCEPT rules for legitimate traffic and just before a corresponding
DROP rule for traffic that is not to be allowed through the policy. Note that
iptables policies can be quite complex with protocol, network, port, and
interface restrictions, user defined chains, connection tracking rules, and
much more. There are many pieces of software such as
Shorewall and
Firewall Builder, that build iptables
policies and take advantage of the advanced filtering and logging capabilities
offered by iptables. Generally the policies built by such pieces of software
are compatible with psad since they specifically add rules that instruct
iptables to log packets that are not part of legitimate traffic. Psad can be
configured to only analyze those iptables messages that contain specific
log prefixes (which are added via the --log-prefix option), but
the default as of version 1.3.2 is for psad to analyze all iptables log messages
for port scans, probes for backdoor programs, and other suspect traffic. See the
list of features offered by psad for more
information.
By default, psad just parses the /var/log/messages file where iptables writes log data via klogd. If your system send iptables log data to a different file, you can set this via the IPT_SYSLOG_FILE variable in the /etc/psad/psad.conf file. Some older versions of psad used a different strategy for acquiring iptables log data by reconfiguring syslog to write all kern.info messages to a named pipe that is setup by psad. Although psad still supports this, it should be considered deprecated. The default is to set ENABLE_SYSLOG_FILE to "Y" in the psad.conf file, which tells psad to just parse /var/log/messages directly.
More information on psad configuration can be found within the syslog configuration guide.
