IPTABLES logging (was: NTP, ntpdate and ISP-based firewall)

Michael Kearey mutk at iprimus.com.au
Tue Mar 9 22:02:41 UTC 2004 

Don Levey wrote:
> The man page is my friend.  I am somewhat less confused than before (I
> hope).
> 
> I was looking for info on how to log events; in particular, REJECT events.
> The relevant portion of the man page is below.  I interpret this to mean
> that I need two separate lines in my iptables file.  Therefore, instead of:
> 	...
> 	# HANMAIL.NET spammers
> 	-A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j REJECT
> 	-A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j REJECT
> 	...
> I would need:
> 	...
> 	# HANMAIL.NET spammers
> 	-A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j LOG --log-level
> INFO --log-prefix IPTABLES-REJECT --log-ip-options --log-tcp-options
> 	-A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j REJECT
> 	-A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j LOG --log-level
> INFO --log-prefix IPTABLES-REJECT --log-ip-options --log-tcp-options
> 	-A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j REJECT
> 	...
> 
> To log all events of INFO or higher priority that meet those input criteria.
> Have I got this right?

I think it is slightly different to how you have put it.

What happens is that the rules you give above *will* go to INFO level 
of syslog, and it depends on how /etc/syslogd.conf if the events are 
logged at all. ie syslogd.conf must be set up to log 'events of INFO 
or higher priority'.

I find that logging from iptables is ugly and difficult to read, 
especially when it all goes to /var/log/messages  .

I tell anything kernel* level of syslog to be logged in a file 
/var/log/kernelmessages in /etc/syslogd.conf by modifying the kernel* 
line -

kern.*                             /var/log/kernelmessages


I then use a rule like:

  -A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16-j  LOG --log-level debug 
--log-prefix "IPTABLES-REJECT: " --log-ip-options --log-tcp-options

There are other ways to acheive a similar thing BTW, by using a local 
unused syslog level perhaps.

Logging from iptables also tends to generate a big log file, so it may 
be helpfull to -m  limit --limit 5 --limit-burst 10  as well. This 
will help prevent monster log files...

Cheers,
Michael

More information about the users mailing list