Re: logging iptables
On Mon, 2002-04-22 at 11:24, Lars Roland Kristiansen wrote:
> Hi and thanks i did look at the man pages but i am completly new to
> firewalls so i got more confused than i was before. A little extra - when
> i use LOG i can tjek out the messeges using syslog or dmesg - is there
> a way i can filter this LOG information into its own log file in /var/log
> ?????
As always: more than one way :)
Add '--log-level debug' to iptables, add "kern.debug /var/log/debug' to
/etc/syslog.conf, killall -HUP syslogd, and look in /var/log/debug.
If you have a line in /etc/syslog.conf that says 'kern.*' or '*.debug'
(the default syslog.conf does), then it will go to those logfiles too.
You could also try installing syslog-ng instead of syslogd, and use
'--log-prefix iptables', and setup a syslog filter rule for iptables.
I've never tried this.
>
> thanks
>
> > Hi,
> >
> > As from the man:
> >
> > LOG:
> > This is a "non-terminating target",
> > i.e. rule traversal continues at the next rule. So if you
> > want to LOG the packets you refuse, use two separate rules
> > with the same matching criterias, first using target LOG
> > then DROP (or REJECT).
> >
> > So, simply insert a rule which match the traffic you accept, before you accept
> > it.
> >
> > An advice: you accpt any packet with destination port matching your services.
> > You should only accpet the --state NEW packets; -s 0/0 is useless, use -m limit
> > is quite usefull too, and finally, if you want to have stats on a per protocol
> > basis, you should use a separate line for each proto and use the counters
> > associated with each rule.
> >
> >
> > iptables -P INPUT DROP
> > iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 22,25,110,113 -i eth0 -m limit -j LOG --log-prefix "ACCEPTED:"
> > iptables -A INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
> > iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 25 -i eth0 -j ACCEPT
> > ..
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -m limit -j LOG --log-prefix "DROPED"
> >
> >
> > Hope that help,
> >
> > JeF
> >
>
> ___
> Mvh./Yours sincerely
>
> Lars
>
> ========================================================================
> Lars Roland Kristiansen | Email: m00lrk@math.ku.dk
> Stu. Sci. Math/Computer science | TLF(home): 39670663
> Copenhagen University - | Home address: Emdrupvej 175
> Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV
> Url: www.math.ku.dk |
> ========================================================================
>
> "Politics is for the moment, equations are forever"
> - Albert Einstein
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Berend De Schouwer
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: