ipta – IPTables log analyzer

What it is

The ipta is a simple and yet powerful log analyzer for iptables. It requires the following to be used:

  • iptables should be setup to log through syslog to a text file
  • certain ”actions” are added by iptables rules to the logs to distinguish between accepted, dropped, invalid and so on
  • ipta is installed in your system
  • you have access to a MySQL database, perferably on the local machine for speed purposes

Manual

The manual is distributed as a LaTeX source and a PDF. The PDF can be read as-is, the LaTeX is the source to make the pdf. Normally this is not needed for the user to make so that part is split into as different make files.

Binaries

Pre-made binaries are useful to get started quickly but not included in the github site. They can be downloaded from here as they are made available but will not be as often updated as the source from github. Binaries will be updated on a release basis.

The following platforms are currently relesed as binaries:

  • Standard Linux 386 system
  • Standard Linux x86-64 system
  • Raspberry Pi 2

The 386 binary should work on pretty much any Linux system out there since all 64 bit systems also run 32 bit code. The Raspberry Pi 2 should work on Raspberry, Raspberry B and B+ just as well as it is the same Raspbian.

Find and download the release binaries together with the manual here.

ipta-binaries

Quickstart guide

In the quickstart guide a few suggested commands will be posted to get you started quickly. The first one is the traditional after-the-event analyzer:

ipta --clear --import /var/log/iptables.log --analyze --rdns --limit 25 | less

The second one is a real-time display of what is logged except it won’t show any packets to or from the loopback interface ’lo’ and no packets that are logged through the ACCEPT chain.

ipta --follow /var/log/iptables.log --rdns --no-lo --no-accept

Source code

The source code can be downloaded from GitHub where it is hosted for the moment. The manual contains more information on building your own and the toolchain needed to do so.

Latest release

To find the latest (or earlier) releases, you have to go to this page and download the archive. This is only necessary if you need to build the code for a platform you do not already have the binary for.

https://github.com/sikvall/ipta/releases

Latest release is pre-stage V0.2 released 2015-05-19.

Development code base

To find the latest source to make your own ”nightly build” or contributions you can look at this which will always have the latest. This should always compile, but it may actually contain nasty bugs that have not yet been fixed because it is a development and should be regarded as a very early alfa at least.

Do not use this in your production net, only for development. Check back under releases for the last one that had any kind of quality control to it.

https://github.com/sikvall/ipta/

License

The Licence is a modified MIT license in which the modification means that you are allowed to make any changes to the software except the license and you must retain the original credit while you can add your own. License in full is included in the documentation.

Photos and other rants