Logging iptables
jludwig
wralphie at comcast.net
Sun Dec 11 01:16:19 UTC 2005
On Thursday 08 December 2005 11:04 pm, Amadeus W. M. wrote:
snip
> Suppose you have some rule that you want to log, say
>
> /sbin/iptables -A INPUT ... -j DROP
>
> Then you create an identical rule with the one above, except that you
> replace the target -j DROP with -j LOG --log-prefix "SOMETHING TO GREP
> FOR".
>
> So not only do you log, but you specify some string as well, specific to
> that rule, that you could easily grep for in /var/log/messages.
>
> For instance, to log all NEW tcp packets on the priviledged (low numbered)
> ports, you would do this:
>
> /sbin/iptables -A INPUT -p tcp -m tcp --dport 0:1023 -m state --state NEW
> -j LOG --log-prefix "LOW PORT TCP CONNECTION: "
>
> Here you probably don't want to have a matching -j DROP rule, because you
> may want to allow mail, http, etc.
>
> Be careful what you log though, because it may fill up your log files. For
> instance, you don't want to log an entire ftp transfer, usually the first
> packet (--state NEW) will do.
You could get really creative and modify syslog.conf and set it up with a log
file like /var/log/iptables for firewall logging.
--
Some people have convictions.
Some people have opinions
I think I'll have a cheeseburger!
More information about the fedora-list
mailing list