LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-28-2008, 04:35 AM   #1
hemi_426
Member
 
Registered: Apr 2008
Location: KSA-jeddah
Distribution: CentOS, gentoo, slackware
Posts: 80

Rep: Reputation: 15
iptables logging


hello guys

these from my firewall script

$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -p tcp -j LOG --log-level info

and my
/etc/syslog.conf >> kern.=info /var/log/iptables

the iptables rules works fine but i dont get any entry
inside /var/log/iptables

i dont want to log only the DROPED packets ,i want to log all packets..
how to do that ??

thanks alot
 
Old 04-28-2008, 04:37 AM   #2
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
As soon as IPTABLES finds a rule that matches, it stops checking all other rules. If you want to log everything, move the log rule to before the drop rule and you'll be sweet.
 
Old 04-28-2008, 04:45 AM   #3
hemi_426
Member
 
Registered: Apr 2008
Location: KSA-jeddah
Distribution: CentOS, gentoo, slackware
Posts: 80

Original Poster
Rep: Reputation: 15
im thankfull for ur reply

r u saying that after the policy DROP
i should put the logging rule befor all the others??
 
Old 04-28-2008, 04:52 AM   #4
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
Sorry, I re-read my post and agree it wasn't clear. If you want to log something, you must put the logging rule before any other rule that it might match. The log rule is the exception to my earlier comment that iptables stops checking other rules when it finds one that matches. That is, once it reaches the log rule, it WILL continue reading other rules.

In your example the DROP rule is before the log rule, and the DROP rule matches everything and the log rule is never reached. You need to move the log rule up your list of rules - where exactly is up to you and depends on what other rules you have defined.
 
Old 04-28-2008, 05:13 AM   #5
hemi_426
Member
 
Registered: Apr 2008
Location: KSA-jeddah
Distribution: CentOS, gentoo, slackware
Posts: 80

Original Poster
Rep: Reputation: 15
sorry , but that is not a rule thats a DROP policy
 
Old 04-28-2008, 05:23 AM   #6
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
I need to put my glasses on....

I've used this in my iptables before to log traffic:-
Code:
-A -j LOG --log-level info
Log entries for me are going to /var/log/messages.
 
Old 04-28-2008, 05:28 AM   #7
hemi_426
Member
 
Registered: Apr 2008
Location: KSA-jeddah
Distribution: CentOS, gentoo, slackware
Posts: 80

Original Poster
Rep: Reputation: 15
either my question is not clear or u dont know the answer
cant u c that my syslog.conf points kernel.=info to /var/log/iptables
anyway there is nothing in my /var/log/messages belong to iptables or packets info
 
Old 04-28-2008, 05:35 AM   #8
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
Have you tried "kern.info /var/log/iptables" in /etc/syslog.conf? This worked for me. Also, did you restart iptables and syslog services after your changes?
 
Old 04-28-2008, 07:52 AM   #9
hemi_426
Member
 
Registered: Apr 2008
Location: KSA-jeddah
Distribution: CentOS, gentoo, slackware
Posts: 80

Original Poster
Rep: Reputation: 15
sorry still not logging
 
Old 04-28-2008, 07:58 AM   #10
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
If syslogd is the problem then possibly the log data is being written to another log file in /var/log. Are there files in that directory that are being updated continuously?

Alternatively, as you know, your iptables settings aren't correct. Can you post your full /etc/sysconfig/iptables file? Try running "watch -d iptables -nvL" and see if there is any activity on your log rule. Here's a sample from my system:-
Code:
Every 2.0s: iptables -nvL                                                                                           Mon Apr 28 22:29:12 2008

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  322 22108 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 275 packets, 43029 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
  322 22108 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Last edited by blacky_5251; 04-28-2008 at 08:00 AM. Reason: Added watch example data
 
Old 04-28-2008, 08:18 AM   #11
hemi_426
Member
 
Registered: Apr 2008
Location: KSA-jeddah
Distribution: CentOS, gentoo, slackware
Posts: 80

Original Poster
Rep: Reputation: 15
Chain INPUT (policy DROP 247 packets, 37910 bytes)
pkts bytes target prot opt in out source destination
125K 79M LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6

my firewall

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F


####### Configure IPROUTE2 Rules #######

####### IPTABLES Rules #################

############ INPUT
$IPTABLES -A INPUT -p tcp -j LOG --log-level info
$IPTABLES -A INPUT -i $EXTIF -p icmp -m icmp --icmp-type redirect -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -p icmp -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 22,21,20,587,110 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
############ FORWARD
# Syn-flood
$IPTABLES -A FORWARD -p tcp -j LOG --log-level info
$IPTABLES -A FORWARD -p tcp -i $INTIF -o $EXTIF -m multiport --destination-port 22,21,20,25,53,443,587,110,5190,1863,5000,5050 -j ACCEPT

$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Ports Scans
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Ping Death
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

$IPTABLES -A FORWARD -p udp -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $INTIF -o $EXTIF -j ACCEPT

# NetBs Drop
$IPTABLES -A FORWARD -p tcp --dport 135:139 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 445 -j DROP

############ OUTPUT

############ PREROUTING ##
$IPTABLES -t nat -A PREROUTING -p tcp -d ! 10.0.0.0/24 -m multiport --dports 80,81,82,83,kerberos,8000,8001,8002 -j REDIRECT --to-ports 3128

$IPTABLES -t nat -A PREROUTING -p tcp -d ! 172.17.60.0/24 -m multiport --dports 8083,8091,8100,8101,8102,8103,8888,777 -j REDIRECT --to-ports 3128


# POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 10.0.0.10/24 -j SNAT --to-source `get_addr $EXTIF`



thank u for ur time
 
Old 04-28-2008, 05:53 PM   #12
blacky_5251
Member
 
Registered: Oct 2004
Location: Adelaide Hills, South Australia
Distribution: RHEL 4&5, Fedora 10, CentOS 5.4, IPCop
Posts: 569

Rep: Reputation: 55
OK, so the LOG target is being hit and the numbers are increasing as you "watch" the output from iptables (correct?). This indicates your syslog.conf file is not correct and is sending your log data somewhere else.

Use "ls -lt /var/log | head" to see which files are being updated regularly. Can you post your full /etc/syslog.conf file as well?
 
Old 04-29-2008, 03:24 AM   #13
hemi_426
Member
 
Registered: Apr 2008
Location: KSA-jeddah
Distribution: CentOS, gentoo, slackware
Posts: 80

Original Poster
Rep: Reputation: 15
root@Office:~# ls -lt /var/log | head
total 1956
-rw-r----- 1 root root 431801 2008-04-29 11:24 messages
-rw-r--r-- 1 root root 293168 2008-04-29 11:18 lastlog
-rw-rw-r-- 1 root utmp 149760 2008-04-29 11:18 wtmp
-rw------- 1 root root 490752 2008-04-29 08:39 btmp
-rw-r----- 1 root root 71701 2008-04-29 08:39 syslog
-rw-r----- 1 root root 24096 2008-04-28 12:11 faillog
-rw-r----- 1 root root 193 2008-04-28 12:11 secure
drwxr-xr-x 2 root root 20480 2008-04-28 10:44 packages/
-rw-r--r-- 1 root root 0 2008-04-27 16:21 iptables

kern.info /var/log/iptables

# Uncomment this to see kernel messages on the console.
#kern.* /dev/console

# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages

# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/syslog

# Debugging information is logged here.
*.=debug -/var/log/debug

# Private authentication message logging:
authpriv.* -/var/log/secure

# Cron related logs:
cron.* -/var/log/cron

# Mail related logs:
mail.* -/var/log/maillog

# Emergency level messages go to all users:
*.emerg *

# This log is for news and uucp errors:
uucp,news.crit -/var/log/spooler
 
Old 04-29-2008, 06:18 AM   #14
GhostCow
Member
 
Registered: Aug 2007
Posts: 47

Rep: Reputation: 15
restart syslog and check again
don't forget, syslog MUST BE RESTARTED AFTER INITIALIZING LOG RULE

Last edited by GhostCow; 04-29-2008 at 06:23 AM.
 
Old 04-29-2008, 06:24 AM   #15
hemi_426
Member
 
Registered: Apr 2008
Location: KSA-jeddah
Distribution: CentOS, gentoo, slackware
Posts: 80

Original Poster
Rep: Reputation: 15
i will try it now
 
  


Reply

Tags
iptables, logging


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables not logging anything~ deeptii Linux - Networking 11 05-31-2006 02:35 AM
Iptables Logging doublejoon Linux - Security 8 01-09-2006 04:20 AM
Iptables logging asterisk Linux - Networking 2 09-04-2004 12:16 AM
iptables logging zsoltrenyi Linux - Software 1 08-19-2004 10:15 AM
I need help on iptables logging FunkFlex Linux - Security 1 01-17-2003 11:43 AM


All times are GMT -5. The time now is 11:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration