Logging denied packets (iptables)
John Summerfield
debian at herakles.homelinux.org
Wed Oct 17 23:38:51 UTC 2007
Mike Wohlgemuth wrote:
> On Wed, October 17, 2007 2:05 pm, Ashley M. Kirchner wrote:
>> One of our offices has several network ranges blocked in iptables
>> (essentially '-A INPUT -s www.xxx.yyy.zzz/aa -j DROP'). What I'd like
>> to do is create a log entry each time a packet is dropped, IF it matches
>> any of those networks. I think I need to assign all of those networks
>> to a "group" and then log dropped packets from that group only. And
>> while I realize this might have other ramifications, such as logs
>> growing exponentially, for now we're taking small steps. Later on I can
>> then look for things like logging the same IP only once...
>>
>> So how do I tell iptables to create a group or name, or whatever
>> it's called for those ranges, and then log dropped packets from those
>> ranges only?
>
> Here's what I do:
>
> -N LOGDROP
> -A LOGDROP -j LOG --log-prefix "$IPTABLES drop:"
> -A LOGDROP -j DROP
Please, don't use all caps for user chains. The documentations says not
to, because it may conflict with future netfilter names.
>
> Then you can add lines for the things you want logged like this:
>
> -A INPUT -s www.xxx.yyy.zzz/aa -j LOGDROP
>
> I tend to use LOGDROP, rather than DROP, for everything I drop, except for
> some really common things.
>
> Mike
>
>
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
Please do not reply off-list
More information about the users
mailing list