Logging denied packets (iptables)
John Summerfield
debian at herakles.homelinux.org
Wed Oct 17 23:43:40 UTC 2007
Ashley M. Kirchner wrote:
>
> One of our offices has several network ranges blocked in iptables
> (essentially '-A INPUT -s www.xxx.yyy.zzz/aa -j DROP'). What I'd like
> to do is create a log entry each time a packet is dropped, IF it matches
> any of those networks. I think I need to assign all of those networks
> to a "group" and then log dropped packets from that group only. And
> while I realize this might have other ramifications, such as logs
> growing exponentially, for now we're taking small steps. Later on I can
> then look for things like logging the same IP only once...
>
> So how do I tell iptables to create a group or name, or whatever it's
I wish people would learn to google "how to" what I want to know, so in
this case
http://www.google.com/search?q=%22how+to%22+iptables&start=0&start=0&ie=utf-8&oe=utf-8&client=mozilla&rls=org.mozilla:en-US:unofficial
or
http://www.google.com/search?num=100&hl=en&c2coff=1&safe=active&client=mozilla&rls=org.mozilla%3Aen-US%3Aunofficial&q=%22how+to%22+log+drop+iptables&btnG=Search
I'm surprised netfilter doesn't come close to the top:
07:42 [summer at numbat ~]$ rpm -qif /sbin/iptables
Name : iptables Relocations: /usr
Version : 1.3.5 Vendor: Scientific Linux
Release : 1.2.1 Build Date: Sun Mar 25
02:55:15 2007
Install Date: Fri Jun 15 10:36:39 2007 Build Host: norob.fnal.gov
Group : System Environment/Base Source RPM:
iptables-1.3.5-1.2.1.src.rpm
Size : 559481 License: GPL
Signature : DSA/SHA1, Sat Apr 14 06:14:35 2007, Key ID da6ad00882fd17b2
URL : http://www.netfilter.org/
which also gives a hint about useful reading material.
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
Please do not reply off-list
More information about the fedora-list
mailing list