Logging in iptables

Discussion in 'all things UNIX' started by Gullible Jones, Mar 2, 2013.

Thread Status:
Not open for further replies.
  1. Currently my custom iptables script looks like this:

    Code:
    
    ### Firewall config ###
    iptables-restore <<END
    *filter
    :INPUT DROP
    :OUTPUT DROP
    :FORWARD DROP
    [... rules to allow the network protocols I need ... ]
    -A INPUT -j LOG -m limit --limit 5/minute
    -A OUTPUT -j LOG -m limit --limit 5/minute
    -A FORWARD -j LOG -m limit --limit 5/minute
    COMMIT
    END
    ip6tables-restore <<END
    *filter
    [...]
    COMMIT
    END
    
    This works (at least for a desktop), but it's inflexible; it would be better if I could specify different log targets for things. What's the best way to do that? I spent some time looking through the iptables documentation, but the stuff on logging is a bit vague (or perhaps I'm a bit vague).
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Are you looking for a way to log to a different file?

    If so, it depends on your syslog. If you're using rsyslog, you can use iptables with something in the lines of
    Code:
    -j LOG --log-prefix "iptables: blah"
    So it is distinguishable, and then add a conf file for rsyslog like /etc/rsyslog.d/iptables.conf with
    Code:
    :msg, contains, "iptables: " -/var/log/your_path_to/iptables.log
    & ~
    to write those lines to your chosen file.

    All as an example only.
    rsyslog can use a "starts with" filter but i couldn't make it work.

    Hope this helps.
     
  3. Thanks very much, though that wasn't what I was looking for...

    Basically I was thinking of having different "levels" of logging. e.g. DROP_LOG_HIGH might drop the packet and log it with a big fat WARNING prefix; or ACCEPT_LOG_LOW might accept the packet, but note it in the log anyway.
     
  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    So, just an easy to write target when writing rules?

    I can only think of creating chains, with those names, each with a log rule and/or a block rule.
     
  5. Found it, the answer is to use -N.

    Code:
    iptables -N LOG_DROP
    iptables -A LOG_DROP -j LOG -m limit --limit 5/minute
    iptables -A LOG_DROP -j DROP
    
    Edit: or

    Code:
    *filter
    ...
    :LOG_DROP - [0:0]
    -A LOG_DROP -j log -m limit --limit 5/minute
    -A LOG_DROP -j DROP
    ...
    
     
    Last edited by a moderator: Mar 6, 2013
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.