IPTABLES logging (was: NTP, ntpdate and ISP-based firewall)

Don Levey fedora-list at the-leveys.us
Fri Mar 5 17:34:51 UTC 2004


The man page is my friend.  I am somewhat less confused than before (I
hope).

I was looking for info on how to log events; in particular, REJECT events.
The relevant portion of the man page is below.  I interpret this to mean
that I need two separate lines in my iptables file.  Therefore, instead of:
	...
	# HANMAIL.NET spammers
	-A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j REJECT
	-A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j REJECT
	...
I would need:
	...
	# HANMAIL.NET spammers
	-A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j LOG --log-level
INFO --log-prefix IPTABLES-REJECT --log-ip-options --log-tcp-options
	-A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j REJECT
	-A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j LOG --log-level
INFO --log-prefix IPTABLES-REJECT --log-ip-options --log-tcp-options
	-A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j REJECT
	...

To log all events of INFO or higher priority that meet those input criteria.
Have I got this right?
 -Don



 LOG
     Turn on kernel logging of matching packets.  When this  option  is  set
     for  a rule, the Linux kernel will print some information on all match-
     ing packets (like most IP header fields) via the kernel log  (where  it
     can be read with dmesg or syslogd(8)).  This is a "non-terminating tar-
     get", i.e. rule traversal continues at the next rule.  So if  you  want
     to  LOG  the  packets  you refuse, use two separate rules with the same
     matching criteria, first using target LOG then DROP (or REJECT).

     --log-level level
            Level of logging (numeric or see syslog.conf(5)).

     --log-prefix prefix
            Prefix log messages with the specified prefix; up to 29  letters
            long, and useful for distinguishing messages in the logs.

     --log-tcp-sequence
            Log  TCP sequence numbers. This is a security risk if the log is
            readable by users.

     --log-tcp-options
            Log options from the TCP packet header.

     --log-ip-options
            Log options from the IP packet header.






More information about the users mailing list