IPTABLES logging (was: NTP, ntpdate and ISP-based firewall)
Michael Kearey
mutk at iprimus.com.au
Tue Mar 9 22:02:41 UTC 2004
Don Levey wrote:
> The man page is my friend. I am somewhat less confused than before (I
> hope).
>
> I was looking for info on how to log events; in particular, REJECT events.
> The relevant portion of the man page is below. I interpret this to mean
> that I need two separate lines in my iptables file. Therefore, instead of:
> ...
> # HANMAIL.NET spammers
> -A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j REJECT
> -A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j REJECT
> ...
> I would need:
> ...
> # HANMAIL.NET spammers
> -A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j LOG --log-level
> INFO --log-prefix IPTABLES-REJECT --log-ip-options --log-tcp-options
> -A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j REJECT
> -A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j LOG --log-level
> INFO --log-prefix IPTABLES-REJECT --log-ip-options --log-tcp-options
> -A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j REJECT
> ...
>
> To log all events of INFO or higher priority that meet those input criteria.
> Have I got this right?
I think it is slightly different to how you have put it.
What happens is that the rules you give above *will* go to INFO level
of syslog, and it depends on how /etc/syslogd.conf if the events are
logged at all. ie syslogd.conf must be set up to log 'events of INFO
or higher priority'.
I find that logging from iptables is ugly and difficult to read,
especially when it all goes to /var/log/messages .
I tell anything kernel* level of syslog to be logged in a file
/var/log/kernelmessages in /etc/syslogd.conf by modifying the kernel*
line -
kern.* /var/log/kernelmessages
I then use a rule like:
-A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16-j LOG --log-level debug
--log-prefix "IPTABLES-REJECT: " --log-ip-options --log-tcp-options
There are other ways to acheive a similar thing BTW, by using a local
unused syslog level perhaps.
Logging from iptables also tends to generate a big log file, so it may
be helpfull to -m limit --limit 5 --limit-burst 10 as well. This
will help prevent monster log files...
Cheers,
Michael
More information about the fedora-list
mailing list