LinuxQuestions.org - IPTABLES: How do you log denied packets

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - IPTABLES: How do you log denied packets (https://www.linuxquestions.org/questions/linux-security-4/iptables-how-do-you-log-denied-packets-477883/)

blkcamarozr28

08-27-2006 05:41 PM

IPTABLES: How do you log denied packets

How do you log the deny & permitted packets when using IPTABLES? From time to time I need to write custom rules so being able to see what is being denied helps a lot.

My system runs CentOS4.3 & FC1-5. Thanks!

Wilson

fotoguy

08-27-2006 06:16 PM

You will need to adjust these to your system and place them at the bottom of the script after your allow rules, some custom logging rules will look like this:

Code:

iptables -A INPUT -p tcp -j LOG --log-prefix "TCP LOGDROP: "

iptables -A INPUT -p udp -j LOG --log-prefix "UDP LOGDROP: "

iptables -A INPUT -p icmp -j LOG --log-prefix "ICMP LOGDROP: "

iptables -A INPUT -f -j LOG --log-prefix "FRAGMENT LOGDROP:  "

iptables -A INPUT -j DROP # make sure anything is drop after logging

These are pretty generic you may need to read up on iptables to find out how to use these rules properly

blkcamarozr28

08-27-2006 08:32 PM

Thanks! Does this automatically put the logs in /var/log/messages?

fotoguy

08-27-2006 10:46 PM

Yes it should send all logs to /var/log/messages. Then if you want to view them you could make a cron job, or just run a script to find the logged packets and copy them to another file for easier viewing, or emailing to someone later.

Code:

#!/bin/sh

grep "TCP LOGDROP:" /var/log/messages >> /text/file/somewhere.txt

grep "UDP LOGDROP:" /var/log/messages >> /text/file/somewhere.txt

grep "ICMP LOGDROP:" /var/log/messages >> /text/file/somewhere.txt

grep "FRAGMENT LOGDROP:" /var/log/messages >> /text/file/somewhere.txt

exit 0

All times are GMT -5. The time now is 08:26 PM.