iptables logging

hemi_426 · 04-28-2008, 04:35 AM

hello guys

these from my firewall script

$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -p tcp -j LOG --log-level info

and my
/etc/syslog.conf >> kern.=info /var/log/iptables

the iptables rules works fine but i dont get any entry
inside /var/log/iptables

i dont want to log only the DROPED packets ,i want to log all packets..
how to do that ??

thanks alot

blacky_5251 · 04-28-2008, 04:37 AM

As soon as IPTABLES finds a rule that matches, it stops checking all other rules. If you want to log everything, move the log rule to before the drop rule and you'll be sweet.

hemi_426 · 04-28-2008, 04:45 AM

im thankfull for ur reply

r u saying that after the policy DROP
i should put the logging rule befor all the others??

blacky_5251 · 04-28-2008, 04:52 AM

Sorry, I re-read my post and agree it wasn't clear. If you want to log something, you must put the logging rule before any other rule that it might match. The log rule is the exception to my earlier comment that iptables stops checking other rules when it finds one that matches. That is, once it reaches the log rule, it WILL continue reading other rules.

In your example the DROP rule is before the log rule, and the DROP rule matches everything and the log rule is never reached. You need to move the log rule up your list of rules - where exactly is up to you and depends on what other rules you have defined.

hemi_426 · 04-28-2008, 05:13 AM

sorry , but that is not a rule thats a DROP policy

blacky_5251 · 04-28-2008, 05:23 AM

I need to put my glasses on....

I've used this in my iptables before to log traffic:-

Code:

-A -j LOG --log-level info

Log entries for me are going to /var/log/messages.

hemi_426 · 04-28-2008, 05:28 AM

either my question is not clear or u dont know the answer
cant u c that my syslog.conf points kernel.=info to /var/log/iptables
anyway there is nothing in my /var/log/messages belong to iptables or packets info

blacky_5251 · 04-28-2008, 05:35 AM

Have you tried "kern.info /var/log/iptables" in /etc/syslog.conf? This worked for me. Also, did you restart iptables and syslog services after your changes?

hemi_426 · 04-28-2008, 07:52 AM

sorry still not logging

blacky_5251 · 04-28-2008, 07:58 AM

If syslogd is the problem then possibly the log data is being written to another log file in /var/log. Are there files in that directory that are being updated continuously?

Alternatively, as you know, your iptables settings aren't correct. Can you post your full /etc/sysconfig/iptables file? Try running "watch -d iptables -nvL" and see if there is any activity on your log rule. Here's a sample from my system:-

Code:

Every 2.0s: iptables -nvL                                                                                           Mon Apr 28 22:29:12 2008

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  322 22108 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 275 packets, 43029 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
  322 22108 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

hemi_426 · 04-28-2008, 08:18 AM

Chain INPUT (policy DROP 247 packets, 37910 bytes)
pkts bytes target prot opt in out source destination
125K 79M LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6

my firewall

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

####### Configure IPROUTE2 Rules #######

####### IPTABLES Rules #################

############ INPUT
$IPTABLES -A INPUT -p tcp -j LOG --log-level info
$IPTABLES -A INPUT -i $EXTIF -p icmp -m icmp --icmp-type redirect -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -p icmp -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 22,21,20,587,110 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
############ FORWARD
# Syn-flood
$IPTABLES -A FORWARD -p tcp -j LOG --log-level info
$IPTABLES -A FORWARD -p tcp -i $INTIF -o $EXTIF -m multiport --destination-port 22,21,20,25,53,443,587,110,5190,1863,5000,5050 -j ACCEPT

$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Ports Scans
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Ping Death
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

$IPTABLES -A FORWARD -p udp -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $INTIF -o $EXTIF -j ACCEPT

# NetBs Drop
$IPTABLES -A FORWARD -p tcp --dport 135:139 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 445 -j DROP

############ OUTPUT

############ PREROUTING ##
$IPTABLES -t nat -A PREROUTING -p tcp -d ! 10.0.0.0/24 -m multiport --dports 80,81,82,83,kerberos,8000,8001,8002 -j REDIRECT --to-ports 3128

$IPTABLES -t nat -A PREROUTING -p tcp -d ! 172.17.60.0/24 -m multiport --dports 8083,8091,8100,8101,8102,8103,8888,777 -j REDIRECT --to-ports 3128

# POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 10.0.0.10/24 -j SNAT --to-source `get_addr $EXTIF`

thank u for ur time

blacky_5251 · 04-28-2008, 05:53 PM

OK, so the LOG target is being hit and the numbers are increasing as you "watch" the output from iptables (correct?). This indicates your syslog.conf file is not correct and is sending your log data somewhere else.

Use "ls -lt /var/log | head" to see which files are being updated regularly. Can you post your full /etc/syslog.conf file as well?

hemi_426 · 04-29-2008, 03:24 AM

root@Office:~# ls -lt /var/log | head
total 1956
-rw-r----- 1 root root 431801 2008-04-29 11:24 messages
-rw-r--r-- 1 root root 293168 2008-04-29 11:18 lastlog
-rw-rw-r-- 1 root utmp 149760 2008-04-29 11:18 wtmp
-rw------- 1 root root 490752 2008-04-29 08:39 btmp
-rw-r----- 1 root root 71701 2008-04-29 08:39 syslog
-rw-r----- 1 root root 24096 2008-04-28 12:11 faillog
-rw-r----- 1 root root 193 2008-04-28 12:11 secure
drwxr-xr-x 2 root root 20480 2008-04-28 10:44 packages/
-rw-r--r-- 1 root root 0 2008-04-27 16:21 iptables

kern.info /var/log/iptables

# Uncomment this to see kernel messages on the console.
#kern.* /dev/console

# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages

# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/syslog

# Debugging information is logged here.
*.=debug -/var/log/debug

# Private authentication message logging:
authpriv.* -/var/log/secure

# Cron related logs:
cron.* -/var/log/cron

# Mail related logs:
mail.* -/var/log/maillog

# Emergency level messages go to all users:
*.emerg *

# This log is for news and uucp errors:
uucp,news.crit -/var/log/spooler

GhostCow · 04-29-2008, 06:18 AM

restart syslog and check again
don't forget, syslog MUST BE RESTARTED AFTER INITIALIZING LOG RULE

hemi_426 · 04-29-2008, 06:24 AM

i will try it now