iptables (execute script, log to RDMS/ NoSQL, DPI, NGFirewall etc.)
“how to execute script before/after iptables rules match”. Some reply is there which is not satisfied me. Most reply is jump traffic to LOG target with specific prefix and read syslog in while. This will cause high IO, iptables rules cannot make depend on this logging process processing also.
To answer this question, I would like to share some notes about nfqueue.
NFQUEUE is an iptables and iptables target which delegate the decision on packets to a user space software.
So, it means we can send request from L3/L4 to L7 and process it with known application programming languages (Python, NODE.js, Java, etc.)
What we can do (for example) :
> Execute some script before or after iptables rules match
> DROP or ACCEPT package in user space programming.
> Direct write iptables LOG to any database.
> Provide API to developer for some act some rules (SDN).
> Firewall L7, DPI (Deep package inspection), etc.
Let’s do some of them with python programming. I will use scapy lib which is most strong lib for manipulate TCP/IP.
1. For example. I will send email if someone will send request to port 5555.
Step1. Create basic script email.py (replace username, password, remote email accordingly)
Step2. Create python package to access network packets and execute script in condition
Step3. Send package to NFQUEUE/queue num=1 with iptables
Step4. And start python script
Step5. Send data from network to remote server over 5555 ports
1. For example. I will log some information from request to SQLite. (you can use MySQL, PostgreSQL, MongoDB, etc.)
Step1. Create database in SQLite. In our case I will store only source and destination IP port information.
Step2. Prepare script. I will use same python script by adding small lines
Step4. Again, start script in queue number 1 and try to send network request.
Step5. Check database
1. Provide API to developer for some act some rules (lightweight SDN)
Surely you can do this part with any programming language by CGI interface. But in this case system administrator should provide root access to python script. And python script will get full access to iptables.
Of course, NFQUEU lib also require root privilege. But system administrator can control which package need to send NFQUEUE, which don’t.
2. DPI (Deep Package Inspection), IPS/IDS, etc.
By using Python scapy library you can manipulate packet payload. Scapy support reach protocol decoder which is very easy to use. So, you can develop your own Application firewall (for example LAF (Linux Application Firewall), IDS/IPS, like SURICATA inline mode.
NOTE: All above cases can be extended based on your idea. Like if some unwanted access happen let script send you URL to approve access. After yours confirm email script will do some act or if some IP address traffic will exceed threshold then call Linux tc (traffic controller) to decrease bandwidth etc.