Logging Deny/Reject packets

blindgren · 06-20-2004, 11:20 PM

I am using Shorewall for my firewall. As it sits it is logging Accept packets fine to /var/log/messages. Does anyone have any info on how to log Deny/Reject packets to /var/log/messages as well?

peter_robb · 06-21-2004, 08:09 AM

Add a LOG rule the same as the DROP rule just before each DROP rule,eg
iptables -A FORWARD -i eth1 -p tcp --dport 22 -s ! 80.80.80.81 -j LOG --log-prefix "ssh_drop "
iptables -A FORWARD -i eth1 -p tcp --dport 22 -s ! 80.80.80.81 -j DROP

If you have a DROP policy, add a simple -j LOG rule as the last rule in those chains, eg
iptables -A INPUT -j LOG --log=prefix "policy_drop "

In Shorewall, make a duplicate of the DROP rule, change it to LOG and insert it before the DROP rule,

blindgren · 06-21-2004, 08:39 AM

Thanks. I was thinking about doing that but figured there was a way to accomplish that the same as the Accept packets (I didn't have to add the log Accept, it did that automatically). I will give it a try tonight. Thanks again.

blindgren · 06-21-2004, 10:15 PM

Peter,

Your post pointed me in the right direction.

Under /etc/shorewall/rules to log packets for any rule you add the syslog level after the "action" for a rule.

Example:
DROP:info loc net tcp - 135,137:139,445 - - -
DROP:info loc net udp - 135,137:139,445,593 - - -

Drop the packet and log to syslog at the info level. I think there are 6 different levels depending on what kind of infformation you want.

Thanks again.