Logging iptables

Gregory P. Ennis PoMec at PoMec.Net
Wed Dec 7 19:42:31 UTC 2005 

On Wed, 2005-12-07 at 13:09 -0600, Mike McGrath wrote:
>  
> > 
> > I am working on some iptables nat forwarding logic and need 
> > to be able to log failures into my /var/log/message file in a 
> > RH 8.0 system.  I am using a FC4 system for a gateway 
> > firewall and iptables seems to log error packets there 
> > automatically.  Is there a way to do this on RH 8.0 as well.
> > 
> > Sorry to ask a RH question on this list, but I thought there 
> > would be someone here that would know.  
> > 
> > Thanks,
> > 
> > Greg Ennis
> 
> You can do a:
> 
> iptables -A INPUT -j LOG --log-level info --log-prefix "IPTABLES DENY "
> 
> That is just one way of getting logging info out of iptables, depending
> on your rules and setups it could be different.  What types of failures
> are you looking for?
> 
> 	-Mike
> 
Mike,

Thanks for the response.  Here are my iptables entries

:LOG_9100 - [0:0]
-A FORWARD -s ###.###.###.### -p tcp --sport 9100 -j LOG_9100

where ###.###.###.### is the ip address I am using.

-A LOG_9100 -j LOG --log-prefix "[IPTABLES 9100 DROP] : \
                 --log-tcp-options --log-ip-options
-A LOG_9100 -j REJECT --reject-with icmp-port-unreachable


I am trying to set up a remote printer on a SCO box.  I found a program
called netcat (http://aplawrence.com/SCOFAQ/FAQ_scotec7getnetcat.html)
that can be used to control the print stream to a remote ip address on
port 9100.  I have been able to get netcat to work perfectly on the
local network, but have not been able to get it to work across the
internet. 

I think my problem is related to iptables running on a RH 8.0 firewall
on the remote end.  I tried to log packets via the syntax above, but it
iptables is not logging to the /var/log/message file.  in looking at the
file iptables is not logging anything to that file.  My thought was that
there must be some kind of set up in RH 8.0 that allows for iptable
logging that I have not been able to find.

Thanks for your interest!!!!

If you have other thoughts let me know,

Greg

More information about the fedora-list mailing list