Name

syslog2iptables — a simple adaptive firewall

Synopsis

syslog2iptables [-c] [-d n]

Description

syslog2iptables is a simple adaptive firewall. It maintains the INPUT chain of the iptables(1) firewall set based on syslog entries. These syslog entries are typically generated by your hardware firewall, but they could come from any source. Any syslog entry that contains a host name or ip address can be used as input to this package.

The syslog2iptables.conf(5) file specifies the syslog files to be monitored, and the regular expressions (regex(7)) to be applied to new lines in those files. Each regular expression needs an INDEX to specify the matching substring that contains either an ip address or host name, and a DELTA which is used to modify the leaky bucket count for that ip address when a matching line is read from that syslog file.

If the DELTA is negative, the leaky bucket count is set to that DELTA value, any existing blocking for that ip address is removed, and new blocking is prevented until that bucket leaks upward to zero.

If the DELTA is positive and the current leaky bucket count is not negative, that DELTA value is added to the leaky bucket count for that ip address. Once the bucket contains more than a configurable THRESHOLD number of tokens, that ip address is added to the INPUT chain with a DROP target.

Each ip address has an associated leaky bucket, which leaks one token per second so the count moves toward zero. When the bucket is drained to zero, that ip address is removed from the INPUT chain.

The discussion has focused on syslog files, but any ascii text file can be used, so long as some other process appends lines to that file, and those lines containing hostname or ip addresses can be matched with some regular expression.

Considering syslog files in particular, these are normally rotated via logrotate. syslog2iptables properly detects and handles this case by closing the old file, and reopening the newly created file.

With the default config file, you can manually unblock an ip address with logger -p authpriv.info "manual unblock 1.2.3.4" and you can manually block an ip address with logger -p authpriv.info "manual block 1.2.3.4"

Options

-c

Load the configuration file, print a cannonical form of the configuration on stdout, and exit.

-d n

Set the debug level to n.

Usage

syslog2iptables -d 2

Configuration

The configuration file is documented in syslog2iptables.conf(5). Any change to the config file will cause it to be reloaded within three minutes.

TODO

The following ideas are under consideration.

Add a configuration option for the iptables table name in the pattern statement. This implies handling multiple tables, so each table needs its own map of ip addresses and bucket values.

Copyright

Copyright (C) 2007 by 510 Software Group <carl@five-ten-sg.com>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3, or (at your option) any later version.

You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, please write to the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.

Version

1.19