Logging iptables
Amadeus W. M.
amadeus84 at cablespeed.com
Thu Dec 8 23:04:52 UTC 2005
On Wed, 07 Dec 2005 12:34:23 -0600, Gregory P. Ennis wrote:
> List,
>
> I am working on some iptables nat forwarding logic and need to be able
> to log failures into my /var/log/message file in a RH 8.0 system. I am
> using a FC4 system for a gateway firewall and iptables seems to log
> error packets there automatically. Is there a way to do this on RH 8.0
> as well.
>
> Sorry to ask a RH question on this list, but I thought there would be
> someone here that would know.
>
> Thanks,
>
> Greg Ennis
Suppose you have some rule that you want to log, say
/sbin/iptables -A INPUT ... -j DROP
Then you create an identical rule with the one above, except that you
replace the target -j DROP with -j LOG --log-prefix "SOMETHING TO GREP FOR".
So not only do you log, but you specify some string as well, specific to
that rule, that you could easily grep for in /var/log/messages.
For instance, to log all NEW tcp packets on the priviledged (low numbered)
ports, you would do this:
/sbin/iptables -A INPUT -p tcp -m tcp --dport 0:1023 -m state --state NEW
-j LOG --log-prefix "LOW PORT TCP CONNECTION: "
Here you probably don't want to have a matching -j DROP rule, because you
may want to allow mail, http, etc.
Be careful what you log though, because it may fill up your log files. For
instance, you don't want to log an entire ftp transfer, usually the first
packet (--state NEW) will do.
More information about the fedora-list
mailing list