Logging with Iptables does not work

Psystorm · 09-16-2009, 06:50 AM

Hello!

I'm trying to set up a firewall that logs all dropped packets, but I can't get it working. For troubleshooting I installed a fresh ubuntu-9.04-i386-minimal image from my hoster and edited the syslog.conf, so that it logs everything into one logfile:

Code:

*.* /var/log/everything.log

After that I restartet sysklogd and added this rule to the iptables input chain:

Code:

iptables -A INPUT -j LOG

I now generate some incoming traffic by pinging from another computer (and also with the ssh connection with which I'm connected to the server), however this does not show up in the log file:

Code:

Sep 16 12:19:27 vs24029 syslogd 1.5.0#5ubuntu3: restart.

Iptables tells, that it has packets matching the rule:

Code:

Chain INPUT (policy ACCEPT 888 packets, 540K bytes)
 pkts bytes target     prot opt in     out     source               destination 
   63  4476 LOG        all  --  any    any     anywhere             anywhere            LOG level warning

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 759 packets, 74938 bytes)
 pkts bytes target     prot opt in     out     source               destination

And with dmesg I get the following:

Code:

[3542423.358689] IN=venet0 OUT=

Thanks for the help.
Psystorm

centosboy · 09-16-2009, 06:55 AM

Quote:

Originally Posted by Psystorm

Hello!

I'm trying to set up a firewall that logs all dropped packets, but I can't get it working. For troubleshooting I installed a fresh ubuntu-9.04-i386-minimal image from my hoster and edited the syslog.conf, so that it logs everything into one logfile:

Code:

*.* /var/log/everything.log

After that I restartet sysklogd and added this rule to the iptables input chain:

Code:

iptables -A INPUT -j LOG

I now generate some incoming traffic by pinging from another computer (and also with the ssh connection with which I'm connected to the server), however this does not show up in the log file:

Code:

Sep 16 12:19:27 vs24029 syslogd 1.5.0#5ubuntu3: restart.

Iptables tells, that it has packets matching the rule:

Code:

Chain INPUT (policy ACCEPT 888 packets, 540K bytes)
 pkts bytes target     prot opt in     out     source               destination 
   63  4476 LOG        all  --  any    any     anywhere             anywhere            LOG level warning

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 759 packets, 74938 bytes)
 pkts bytes target     prot opt in     out     source               destination

And with dmesg I get the following:

Code:

[3542423.358689] IN=venet0 OUT=

Thanks for the help.
Psystorm

how my iptables logs.

Code:

-A LOG_DROP -j LOG --log-prefix "dropped packet" --log-level debug
-A LOG_DROP -j DROP

just note the --log-level debug

then in the syslog.conf

Code:

# Send iptables LOGDROPs to /var/log/iptables
kern.=debug                                             /var/log/iptables

catch kernel debug messages.

Psystorm · 09-16-2009, 07:19 AM

Okay I now tried to set up my iptables and sysklogd as yours:

Code:

iptables -F
iptables -X

iptables -N log_drop
iptables -A log_drop -j LOG --log-prefix "dropped packet" --log-level debug
iptables -A INPUT -j log_drop

Code:

kern.=debug /var/log/iptables
*.* /var/log/everything.log

For some reason iptables still doesn't log anything to /var/log/iptables or /var/log/everything.log. Logging in general is working since other entries are created in the /var/log/everything.log.

centosboy · 09-16-2009, 07:27 AM

Quote:

Originally Posted by Psystorm

Okay I now tried to set up my iptables and sysklogd as yours:

Code:

iptables -F
iptables -X

iptables -N log_drop
iptables -A log_drop -j LOG --log-prefix "dropped packet" --log-level debug
iptables -A INPUT -j log_drop

Code:

kern.=debug /var/log/iptables
*.* /var/log/everything.log

For some reason iptables still doesn't log anything to /var/log/iptables or /var/log/everything.log. Logging in general is working since other entries are created in the /var/log/everything.log.

did you restart syslog and iptables?

Psystorm · 09-16-2009, 07:34 AM

I restarted sysklogd and reseted iptables with

Code:

iptables -F
iptables -X

centosboy · 09-16-2009, 07:42 AM

Quote:

Originally Posted by Psystorm

I restarted sysklogd and reseted iptables with

Code:

iptables -F
iptables -X

ok, but packet counter is still increasing for the log_drop rule???
any logs collected in dmesg?

Psystorm · 09-16-2009, 07:50 AM

The packet counter is increasing and dmesg now gives the following:

Code:

[3544900.127112] BUG: recent printk recursion!
[3544900.127291] BUG: recent printk recursion!

I also tried restarting the klogd, but it does not continue when starting it again and creates the following error log messages:

Code:

Sep 16 13:45:35 vs24029 kernel: Cannot find map file.
Sep 16 13:45:35 vs24029 kernel: No module symbols loaded - kernel modules not enabled.

I'm investigating on those at the moment.

Psystorm · 09-16-2009, 10:00 AM

I finally found the problem, it is a bug in OpenVZ: http://bugzilla.openvz.org/show_bug.cgi?id=1284.

Thanks for your help!

centosboy · 09-16-2009, 10:03 AM

Quote:

Originally Posted by Psystorm

I finally found the problem, it is a bug in OpenVZ: http://bugzilla.openvz.org/show_bug.cgi?id=1284.

Thanks for your help!

lol...yes i seen that but didnt get around to ask if you were using openvz