Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
As soon as IPTABLES finds a rule that matches, it stops checking all other rules. If you want to log everything, move the log rule to before the drop rule and you'll be sweet.
Sorry, I re-read my post and agree it wasn't clear. If you want to log something, you must put the logging rule before any other rule that it might match. The log rule is the exception to my earlier comment that iptables stops checking other rules when it finds one that matches. That is, once it reaches the log rule, it WILL continue reading other rules.
In your example the DROP rule is before the log rule, and the DROP rule matches everything and the log rule is never reached. You need to move the log rule up your list of rules - where exactly is up to you and depends on what other rules you have defined.
either my question is not clear or u dont know the answer
cant u c that my syslog.conf points kernel.=info to /var/log/iptables
anyway there is nothing in my /var/log/messages belong to iptables or packets info
Have you tried "kern.info /var/log/iptables" in /etc/syslog.conf? This worked for me. Also, did you restart iptables and syslog services after your changes?
If syslogd is the problem then possibly the log data is being written to another log file in /var/log. Are there files in that directory that are being updated continuously?
Alternatively, as you know, your iptables settings aren't correct. Can you post your full /etc/sysconfig/iptables file? Try running "watch -d iptables -nvL" and see if there is any activity on your log rule. Here's a sample from my system:-
Code:
Every 2.0s: iptables -nvL Mon Apr 28 22:29:12 2008
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
322 22108 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 275 packets, 43029 bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
322 22108 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Last edited by blacky_5251; 04-28-2008 at 08:00 AM.
Reason: Added watch example data
OK, so the LOG target is being hit and the numbers are increasing as you "watch" the output from iptables (correct?). This indicates your syslog.conf file is not correct and is sending your log data somewhere else.
Use "ls -lt /var/log | head" to see which files are being updated regularly. Can you post your full /etc/syslog.conf file as well?
# Uncomment this to see kernel messages on the console.
#kern.* /dev/console
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages
# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/syslog
# Debugging information is logged here.
*.=debug -/var/log/debug
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.