Logging in iptables

Discussion in 'all things UNIX' started by Gullible Jones, Mar 2, 2013.

Thread Status:
Not open for further replies.
  1. Currently my custom iptables script looks like this:

    Code:
    
    ### Firewall config ###
    iptables-restore <<END
    *filter
    :INPUT DROP
    :OUTPUT DROP
    :FORWARD DROP
    [... rules to allow the network protocols I need ... ]
    -A INPUT -j LOG -m limit --limit 5/minute
    -A OUTPUT -j LOG -m limit --limit 5/minute
    -A FORWARD -j LOG -m limit --limit 5/minute
    COMMIT
    END
    ip6tables-restore <<END
    *filter
    [...]
    COMMIT
    END
    
    This works (at least for a desktop), but it's inflexible; it would be better if I could specify different log targets for things. What's the best way to do that? I spent some time looking through the iptables documentation, but the stuff on logging is a bit vague (or perhaps I'm a bit vague).
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Are you looking for a way to log to a different file?

    If so, it depends on your syslog. If you're using rsyslog, you can use iptables with something in the lines of
    Code:
    -j LOG --log-prefix "iptables: blah"
    So it is distinguishable, and then add a conf file for rsyslog like /etc/rsyslog.d/iptables.conf with
    Code:
    :msg, contains, "iptables: " -/var/log/your_path_to/iptables.log
    & ~
    to write those lines to your chosen file.

    All as an example only.
    rsyslog can use a "starts with" filter but i couldn't make it work.

    Hope this helps.
     
  3. Thanks very much, though that wasn't what I was looking for...

    Basically I was thinking of having different "levels" of logging. e.g. DROP_LOG_HIGH might drop the packet and log it with a big fat WARNING prefix; or ACCEPT_LOG_LOW might accept the packet, but note it in the log anyway.
     
  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    So, just an easy to write target when writing rules?

    I can only think of creating chains, with those names, each with a log rule and/or a block rule.
     
  5. Found it, the answer is to use -N.

    Code:
    iptables -N LOG_DROP
    iptables -A LOG_DROP -j LOG -m limit --limit 5/minute
    iptables -A LOG_DROP -j DROP
    
    Edit: or

    Code:
    *filter
    ...
    :LOG_DROP - [0:0]
    -A LOG_DROP -j log -m limit --limit 5/minute
    -A LOG_DROP -j DROP
    ...
    
     
    Last edited by a moderator: Mar 6, 2013
Loading...
Thread Status:
Not open for further replies.