LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-21-2005, 09:19 AM   #1
doublejoon
Member
 
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 366

Rep: Reputation: 44
Iptables Logging


Hi all,
I am in need of a quick tutorial on adding iptables logging to my existing rules. I haven't found a clear distinct description on how to do basic logging.

Can anyone help or point me in the right direction.
So far all I have done is "modprobe ipt_LOG"
 
Old 11-21-2005, 10:27 AM   #2
Mad Scientist
Member
 
Registered: May 2003
Posts: 167

Rep: Reputation: 30
At the very end of my firewall script, I have

Code:
# Log the rest of the incoming messages (all of which are dropped)
# with a maximum of 15 log entries per minute
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
    --log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
    --log-level 7 --log-prefix "Dropped by firewall: "

# Reject any packets that do not meet the specified criteria
/sbin/iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
In /etc/syslog.conf, I have

Code:
kern.=debug     /var/log/firewall
The "log-level" specified in my firewall script is the "debug" level, so the syslog.conf file reflects this fact and sets up the file /var/log/firewall to capture all of these messages. You have to issue a "/sbin/service syslog restart", and then the file "/var/log/firewall" will appear, and will quickly start filling up. The "Dropped by firewall: " prefix is something I use to separate the firewall entries from the other (though very few) entries that inevitably get assigned the debug level.
 
Old 11-21-2005, 11:40 AM   #3
doublejoon
Member
 
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 366

Original Poster
Rep: Reputation: 44
You are the Man!!!!! or Woman!!!!

Works great!!! Thank you.... You made it very simple

Now with this setup will I be able to keep my /var/log partition from filling up if some "Not so nice person" decides to:

ping -c 400000 "myip"
 
Old 11-23-2005, 12:28 PM   #4
Mad Scientist
Member
 
Registered: May 2003
Posts: 167

Rep: Reputation: 30
I'm glad to hear it worked. (Oh, and "Man", by the way.)
 
Old 12-15-2005, 04:02 AM   #5
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,274

Rep: Reputation: 61
You can also set up rules this way as well, just create the chain then send the packets too it, this way it's easy to change only a couple of variables rather than having to go through the whole script.

LOGLIMIT="2/s"
LOGLIMITBURST="10"

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "TCP LOGDROP: "
$IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "UDP LOGDROP: "
$IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "ICMP LOGDROP: "
$IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "FRAGMENT LOGDROP: "
$IPTABLES -A LOGDROP -j DROP

$IPTABLES -A INPUT -p icmp -i eth0 -j LOGDROP
$IPTABLES -A INPUT -p tcp -i eth0 -j LOGDROP
$IPTABLES -A INPUT -p udp -i eth0 -j LOGDROP
 
Old 12-23-2005, 01:01 PM   #6
doublejoon
Member
 
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 366

Original Poster
Rep: Reputation: 44
That is an easy way of doing it I see..Just define variables in the beginning and no need to re-enter values in each rule....

This is good stuff all


Thank you very much
 
Old 12-23-2005, 06:56 PM   #7
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,274

Rep: Reputation: 61
Quote:
Originally Posted by doublejoon
That is an easy way of doing it I see..Just define variables in the beginning and no need to re-enter values in each rule....

This is good stuff all


Thank you very much
Happy you found it useful. One thing to note as well is the logging prefix:

--log-prefix "TCP LOGDROP: "

Only takes I think, a maximum of 29 characters if memory serves my right.
 
Old 01-08-2006, 04:49 AM   #8
dimsh
Member
 
Registered: Aug 2005
Distribution: Debian, Ubuntu, Fedora
Posts: 74

Rep: Reputation: 15
Quote:
Originally Posted by Mad Scientist
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
Quote:
Originally Posted by fotoguy
$IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "TCP LOGDROP: "
$IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "UDP LOGDROP: "
$IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "ICMP LOGDROP: "
$IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "FRAGMENT LOGDROP: "
$IPTABLES -A LOGDROP -j DROP
this is a very useful LOG tutorial, but
I am wondering what is the benefit from putting "-m limit --limit 15/minute" in the log rule ??


Thanks
 
Old 01-09-2006, 04:20 AM   #9
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,274

Rep: Reputation: 61
Not sure the use of the 15/minute rather a long time, I prefer a much shorter time. But the idea is to limit the amount of logging so you don't fill your logs up. If there is no limit to reach log files can grow by quite a few MB's in a day. You will also be tying up lots of processing power writing logs 24/7, if the same ip-address keeps hammering you, there is little sense in loging it all, you only need a small amount to see the pattern and record it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables logging laotalax Linux - Networking 1 10-25-2005 09:55 AM
Iptables and logging bennethos Linux - Security 1 10-18-2004 12:40 AM
Logging for IPTABLES logo Linux - Networking 4 10-11-2004 09:23 AM
Iptables logging asterisk Linux - Networking 2 09-04-2004 12:16 AM
Iptables logging Mogwa_ Linux - Security 2 08-01-2004 02:54 PM


All times are GMT -5. The time now is 08:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration