LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Iptables Logging (https://www.linuxquestions.org/questions/linux-security-4/iptables-logging-385165/)

doublejoon 11-21-2005 09:19 AM
Iptables Logging
 
Hi all,
I am in need of a quick tutorial on adding iptables logging to my existing rules. I haven't found a clear distinct description on how to do basic logging.

Can anyone help or point me in the right direction.
So far all I have done is "modprobe ipt_LOG"

Mad Scientist 11-21-2005 10:27 AM
At the very end of my firewall script, I have

Code:
# Log the rest of the incoming messages (all of which are dropped)
# with a maximum of 15 log entries per minute
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
    --log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
    --log-level 7 --log-prefix "Dropped by firewall: "

# Reject any packets that do not meet the specified criteria
/sbin/iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
In /etc/syslog.conf, I have

Code:
kern.=debug    /var/log/firewall
The "log-level" specified in my firewall script is the "debug" level, so the syslog.conf file reflects this fact and sets up the file /var/log/firewall to capture all of these messages. You have to issue a "/sbin/service syslog restart", and then the file "/var/log/firewall" will appear, and will quickly start filling up. The "Dropped by firewall: " prefix is something I use to separate the firewall entries from the other (though very few) entries that inevitably get assigned the debug level.

doublejoon 11-21-2005 11:40 AM
You are the Man!!!!! or Woman!!!!

Works great!!! Thank you.... You made it very simple :)

Now with this setup will I be able to keep my /var/log partition from filling up if some "Not so nice person" decides to:

ping -c 400000 "myip"

Mad Scientist 11-23-2005 12:28 PM
I'm glad to hear it worked. :) (Oh, and "Man", by the way.)

fotoguy 12-15-2005 04:02 AM
You can also set up rules this way as well, just create the chain then send the packets too it, this way it's easy to change only a couple of variables rather than having to go through the whole script.

LOGLIMIT="2/s"
LOGLIMITBURST="10"

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "TCP LOGDROP: "
$IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "UDP LOGDROP: "
$IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "ICMP LOGDROP: "
$IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "FRAGMENT LOGDROP: "
$IPTABLES -A LOGDROP -j DROP

$IPTABLES -A INPUT -p icmp -i eth0 -j LOGDROP
$IPTABLES -A INPUT -p tcp -i eth0 -j LOGDROP
$IPTABLES -A INPUT -p udp -i eth0 -j LOGDROP

doublejoon 12-23-2005 01:01 PM
That is an easy way of doing it I see..Just define variables in the beginning and no need to re-enter values in each rule....

This is good stuff all


Thank you very much:)

fotoguy 12-23-2005 06:56 PM
Quote:
Originally Posted by doublejoon
That is an easy way of doing it I see..Just define variables in the beginning and no need to re-enter values in each rule....

This is good stuff all


Thank you very much:)
Happy you found it useful. One thing to note as well is the logging prefix:

--log-prefix "TCP LOGDROP: "

Only takes I think, a maximum of 29 characters if memory serves my right.

dimsh 01-08-2006 04:49 AM
Quote:
Originally Posted by Mad Scientist
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
Quote:
Originally Posted by fotoguy
$IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "TCP LOGDROP: "
$IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "UDP LOGDROP: "
$IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "ICMP LOGDROP: "
$IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "FRAGMENT LOGDROP: "
$IPTABLES -A LOGDROP -j DROP
this is a very useful LOG tutorial, but
I am wondering what is the benefit from putting "-m limit --limit 15/minute" in the log rule ??
:newbie:

Thanks

fotoguy 01-09-2006 04:20 AM
Not sure the use of the 15/minute rather a long time, I prefer a much shorter time. But the idea is to limit the amount of logging so you don't fill your logs up. If there is no limit to reach log files can grow by quite a few MB's in a day. You will also be tying up lots of processing power writing logs 24/7, if the same ip-address keeps hammering you, there is little sense in loging it all, you only need a small amount to see the pattern and record it.


All times are GMT -5. The time now is 12:53 PM.