Iptables Logging
Hi all,
I am in need of a quick tutorial on adding iptables logging to my existing rules. I haven't found a clear distinct description on how to do basic logging. Can anyone help or point me in the right direction. So far all I have done is "modprobe ipt_LOG" |
At the very end of my firewall script, I have
Code:
# Log the rest of the incoming messages (all of which are dropped) Code:
kern.=debug /var/log/firewall |
You are the Man!!!!! or Woman!!!!
Works great!!! Thank you.... You made it very simple :) Now with this setup will I be able to keep my /var/log partition from filling up if some "Not so nice person" decides to: ping -c 400000 "myip" |
I'm glad to hear it worked. :) (Oh, and "Man", by the way.)
|
You can also set up rules this way as well, just create the chain then send the packets too it, this way it's easy to change only a couple of variables rather than having to go through the whole script.
LOGLIMIT="2/s" LOGLIMITBURST="10" $IPTABLES -N LOGDROP $IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "TCP LOGDROP: " $IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "UDP LOGDROP: " $IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "ICMP LOGDROP: " $IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "FRAGMENT LOGDROP: " $IPTABLES -A LOGDROP -j DROP $IPTABLES -A INPUT -p icmp -i eth0 -j LOGDROP $IPTABLES -A INPUT -p tcp -i eth0 -j LOGDROP $IPTABLES -A INPUT -p udp -i eth0 -j LOGDROP |
That is an easy way of doing it I see..Just define variables in the beginning and no need to re-enter values in each rule....
This is good stuff all Thank you very much:) |
Quote:
--log-prefix "TCP LOGDROP: " Only takes I think, a maximum of 29 characters if memory serves my right. |
Quote:
Quote:
I am wondering what is the benefit from putting "-m limit --limit 15/minute" in the log rule ?? :newbie: Thanks |
Not sure the use of the 15/minute rather a long time, I prefer a much shorter time. But the idea is to limit the amount of logging so you don't fill your logs up. If there is no limit to reach log files can grow by quite a few MB's in a day. You will also be tying up lots of processing power writing logs 24/7, if the same ip-address keeps hammering you, there is little sense in loging it all, you only need a small amount to see the pattern and record it.
|
All times are GMT -5. The time now is 12:53 PM. |