Re: logging iptables

To: Lars Roland Kristiansen <m00lrk@math.ku.dk>
Cc: Jean-Francois Dive <jef@linuxbe.org>, Debian-security@lists.debian.org
Subject: Re: logging iptables
From: Berend De Schouwer <bds@jhb.ucs.co.za>
Date: 22 Apr 2002 11:44:56 +0200
Message-id: <[🔎] 1019468696.3347.35.camel@bds.ucs.co.za>
In-reply-to: <[🔎] Pine.OSF.4.21.0204221121120.86-100000@gram.math.ku.dk>
References: <[🔎] Pine.OSF.4.21.0204221121120.86-100000@gram.math.ku.dk>

On Mon, 2002-04-22 at 11:24, Lars Roland Kristiansen wrote:
> Hi and thanks i did look at the man pages but i am completly new to
> firewalls so i got more confused than i was before. A little extra - when
> i use LOG i can tjek out the messeges using syslog or dmesg - is there
> a way i can filter this LOG information into its own log file in /var/log 
> ?????

As always: more than one way :)

Add '--log-level debug' to iptables, add "kern.debug /var/log/debug' to
/etc/syslog.conf, killall -HUP syslogd, and look in /var/log/debug.
If you have a line in /etc/syslog.conf that says 'kern.*' or '*.debug'
(the default syslog.conf does), then it will go to those logfiles too.

You could also try installing syslog-ng instead of syslogd, and use
'--log-prefix iptables', and setup a syslog filter rule for iptables. 
I've never tried this.
> 
> thanks
> 
> > Hi,
> > 
> > As from the man:
> > 
> > LOG:
> > 	This is a "non-terminating target",
> >        i.e. rule traversal continues at the next rule.  So if you
> >        want to LOG the packets you refuse, use two separate rules
> >        with  the  same matching criterias, first using target LOG
> >        then DROP (or REJECT).
> > 
> > So, simply insert a rule which match the traffic you accept, before you accept
> > it.
> > 
> > An advice: you accpt any packet with destination port matching your services.
> > You should only accpet the --state NEW packets; -s 0/0 is useless, use -m limit
> > is quite usefull too, and finally, if you want to have stats on a per protocol
> > basis, you should use a separate line for each proto and use the counters
> > associated with each rule. 
> > 
> > 
> > iptables -P INPUT DROP
> > iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 22,25,110,113 -i eth0 -m limit -j LOG --log-prefix "ACCEPTED:"
> > iptables -A INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
> > iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 25 -i eth0 -j ACCEPT
> > ..
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -m limit -j LOG --log-prefix "DROPED"
> > 
> > 
> > Hope that help,
> > 
> > JeF
> > 
> 
> ___
> Mvh./Yours sincerely
> 
> Lars 
> 
> ========================================================================
> Lars Roland Kristiansen             | Email:        m00lrk@math.ku.dk 
> Stu. Sci. Math/Computer science     | TLF(home):    39670663 
> Copenhagen University -             | Home address: Emdrupvej 175 
> Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
> Url: www.math.ku.dk                 |
> ========================================================================
> 
>    "Politics is for the moment, equations are forever"
>                                                     - Albert Einstein
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-- 
Berend De Schouwer


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: logging iptables
  - From: Lars Roland Kristiansen <m00lrk@math.ku.dk>

Prev by Date: passwd by WWW
Next by Date: unsubscribe
Previous by thread: Re: logging iptables
Next by thread: Re: logging iptables
Index(es):
- Date
- Thread