Skip to content
Fetching contributors…
Cannot retrieve contributors at this time
24 lines (21 sloc) 1.43 KB
The main requirement for an iptables configuration to be compatible with psad
is simply that iptables logs packets. This is commonly accomplished by adding
rules to the INPUT and FORWARD chains like so:
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
The rules above should be added at the end of the INPUT and FORWARD chains
after all ACCEPT rules for legitimate traffic and just before a corresponding
DROP rule for traffic that is not to be allowed through the policy. Note that
iptables policies can be quite complex with protocol, network, port, and
interface restrictions, user defined chains, connection tracking rules, and
much more. There are many pieces of software such as Shorewall and Firewall
Builder, that build iptables policies and take advantage of the advanced
filtering and logging capabilities offered by iptables. Generally the policies
built by such pieces of software are compatible with psad since they
specifically add rules that instruct iptables to log packets that are not part
of legitimate traffic. Psad can be configured to only analyze those iptables
messages that contain specific log prefixes (which are added via the
--log-prefix option), but the default as of version 1.3.2 is for psad to
analyze all iptables log messages for port scans, probes for backdoor
programs, and other suspect traffic. See the list of features offered by psad
for more information (
Something went wrong with that request. Please try again.