LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-16-2009, 05:50 AM   #1
Psystorm
LQ Newbie
 
Registered: Sep 2009
Posts: 5

Rep: Reputation: 0
Logging with Iptables does not work


Hello!

I'm trying to set up a firewall that logs all dropped packets, but I can't get it working. For troubleshooting I installed a fresh ubuntu-9.04-i386-minimal image from my hoster and edited the syslog.conf, so that it logs everything into one logfile:
Code:
*.* /var/log/everything.log
After that I restartet sysklogd and added this rule to the iptables input chain:
Code:
iptables -A INPUT -j LOG
I now generate some incoming traffic by pinging from another computer (and also with the ssh connection with which I'm connected to the server), however this does not show up in the log file:
Code:
Sep 16 12:19:27 vs24029 syslogd 1.5.0#5ubuntu3: restart.
Iptables tells, that it has packets matching the rule:
Code:
Chain INPUT (policy ACCEPT 888 packets, 540K bytes)
 pkts bytes target     prot opt in     out     source               destination 
   63  4476 LOG        all  --  any    any     anywhere             anywhere            LOG level warning

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 759 packets, 74938 bytes)
 pkts bytes target     prot opt in     out     source               destination
And with dmesg I get the following:
Code:
[3542423.358689] IN=venet0 OUT=
Thanks for the help.
Psystorm
 
Old 09-16-2009, 05:55 AM   #2
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by Psystorm View Post
Hello!

I'm trying to set up a firewall that logs all dropped packets, but I can't get it working. For troubleshooting I installed a fresh ubuntu-9.04-i386-minimal image from my hoster and edited the syslog.conf, so that it logs everything into one logfile:
Code:
*.* /var/log/everything.log
After that I restartet sysklogd and added this rule to the iptables input chain:
Code:
iptables -A INPUT -j LOG
I now generate some incoming traffic by pinging from another computer (and also with the ssh connection with which I'm connected to the server), however this does not show up in the log file:
Code:
Sep 16 12:19:27 vs24029 syslogd 1.5.0#5ubuntu3: restart.
Iptables tells, that it has packets matching the rule:
Code:
Chain INPUT (policy ACCEPT 888 packets, 540K bytes)
 pkts bytes target     prot opt in     out     source               destination 
   63  4476 LOG        all  --  any    any     anywhere             anywhere            LOG level warning

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 759 packets, 74938 bytes)
 pkts bytes target     prot opt in     out     source               destination
And with dmesg I get the following:
Code:
[3542423.358689] IN=venet0 OUT=
Thanks for the help.
Psystorm
how my iptables logs.


Code:
-A LOG_DROP -j LOG --log-prefix "dropped packet" --log-level debug
-A LOG_DROP -j DROP
just note the --log-level debug

then in the syslog.conf

Code:
# Send iptables LOGDROPs to /var/log/iptables
kern.=debug                                             /var/log/iptables

catch kernel debug messages.
 
Old 09-16-2009, 06:19 AM   #3
Psystorm
LQ Newbie
 
Registered: Sep 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Okay I now tried to set up my iptables and sysklogd as yours:
Code:
iptables -F
iptables -X

iptables -N log_drop
iptables -A log_drop -j LOG --log-prefix "dropped packet" --log-level debug
iptables -A INPUT -j log_drop
Code:
kern.=debug /var/log/iptables
*.* /var/log/everything.log
For some reason iptables still doesn't log anything to /var/log/iptables or /var/log/everything.log. Logging in general is working since other entries are created in the /var/log/everything.log.
 
Old 09-16-2009, 06:27 AM   #4
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by Psystorm View Post
Okay I now tried to set up my iptables and sysklogd as yours:
Code:
iptables -F
iptables -X

iptables -N log_drop
iptables -A log_drop -j LOG --log-prefix "dropped packet" --log-level debug
iptables -A INPUT -j log_drop
Code:
kern.=debug /var/log/iptables
*.* /var/log/everything.log
For some reason iptables still doesn't log anything to /var/log/iptables or /var/log/everything.log. Logging in general is working since other entries are created in the /var/log/everything.log.

did you restart syslog and iptables?
 
Old 09-16-2009, 06:34 AM   #5
Psystorm
LQ Newbie
 
Registered: Sep 2009
Posts: 5

Original Poster
Rep: Reputation: 0
I restarted sysklogd and reseted iptables with
Code:
iptables -F
iptables -X
 
Old 09-16-2009, 06:42 AM   #6
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by Psystorm View Post
I restarted sysklogd and reseted iptables with
Code:
iptables -F
iptables -X

ok, but packet counter is still increasing for the log_drop rule???
any logs collected in dmesg?
 
Old 09-16-2009, 06:50 AM   #7
Psystorm
LQ Newbie
 
Registered: Sep 2009
Posts: 5

Original Poster
Rep: Reputation: 0
The packet counter is increasing and dmesg now gives the following:
Code:
[3544900.127112] BUG: recent printk recursion!
[3544900.127291] BUG: recent printk recursion!
I also tried restarting the klogd, but it does not continue when starting it again and creates the following error log messages:
Code:
Sep 16 13:45:35 vs24029 kernel: Cannot find map file.
Sep 16 13:45:35 vs24029 kernel: No module symbols loaded - kernel modules not enabled.
I'm investigating on those at the moment.

Last edited by Psystorm; 09-16-2009 at 07:14 AM.
 
Old 09-16-2009, 09:00 AM   #8
Psystorm
LQ Newbie
 
Registered: Sep 2009
Posts: 5

Original Poster
Rep: Reputation: 0
I finally found the problem, it is a bug in OpenVZ: http://bugzilla.openvz.org/show_bug.cgi?id=1284.

Thanks for your help!
 
Old 09-16-2009, 09:03 AM   #9
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by Psystorm View Post
I finally found the problem, it is a bug in OpenVZ: http://bugzilla.openvz.org/show_bug.cgi?id=1284.

Thanks for your help!
lol...yes i seen that but didnt get around to ask if you were using openvz
 
  


Reply

Tags
iptables, logging, openvz


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables logging saavik Linux - Networking 5 09-13-2007 01:49 AM
IPTABLES - Logging metallica1973 Linux - Security 10 10-27-2005 05:17 PM
iptables logging laotalax Linux - Networking 1 10-25-2005 09:55 AM
Iptables logging Mogwa_ Linux - Security 2 08-01-2004 02:54 PM
I need help on iptables logging FunkFlex Linux - Security 1 01-17-2003 11:43 AM


All times are GMT -5. The time now is 11:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration