LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 05-16-2011, 01:12 PM   #1
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Rep: Reputation: 1
iptables unable to log to rsyslogd


hey everyone..

okay here is the problem that i am having.. I am using iptables and what i want to do is have is log to a specific file that i have set for it. Here is what i edited to rsyslog.conf

#kern.* /dev/console

:msg, contains, "iptables" /var/log/iptables
& ~

okay now as far as iptables rules here is what i am working with...

iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables"

however when i run my script i get this kind of output:

iptables v1.4.9: unknown option `--log-level'
Try `iptables -h' or 'iptables --help' for more information.

when i do 'iptables -L -n' i get this kind of output..
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `iptables'


okay what i am wondering is why i am getting this error unknown option '--log-level' and two why is not writing anything to /var/log/iptables

when i do 'cat /var/log/iptables' i get nothing

if anyone has come across this kind of problem and has any insight i would greatly appreciate it.
 
Old 05-16-2011, 10:08 PM   #2
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Original Poster
Rep: Reputation: 1
okay guys here is what i have tried on my own...

i have tried editing /etc/rsyslog.conf and instead of doing what i did above to create /var/log/iptables i did this to rsyslog.conf

kern.* /var/log/iptables.log

i restarted rsyslog and when i run the command 'cat /var/log/iptables.log' i get this output:

May 16 17:36:25 BlackHawk kernel: imklog 4.6.3, log source = /proc/kmsg started.


When i run the command 'ls -la /proc/kmsg' i get this output:

-r--------. 1 root root 0 May 16 17:36 /proc/kmsg


i see this same output from /var/log/iptables in /var/log/messages as far as:

May 16 17:36:25 BlackHawk kernel: imklog 4.6.3, log source = /proc/kmsg started.


now can someone tell me why i am not getting any log data from iptables into /var/log/iptables.log

could it be because the a match is happening in iptables before i get to my rules with the log options ?

Any insight is most appreciated... Thank you
 
Old 05-16-2011, 10:10 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Quote:
Originally Posted by BlackHawk View Post
why i am getting this error unknown option '--log-level'
Your command line looks OK but you haven't posted your scripts contents nor any output of running it as '/bin/bash -vx /path/to/script 2>&1'. That doesn't help us help you.


Quote:
Originally Posted by BlackHawk View Post
why is not writing anything to /var/log/iptables
You could try a different approach: look up the default facility and priority pair Netfilter logs with (kern.warning IIRC) and add it to rsyslog.conf, add a line below that keeping the same from spilling over into other log files, below that continue with your other logs and run something to generate output?
 
Old 05-16-2011, 10:44 PM   #4
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Original Poster
Rep: Reputation: 1
output from /bin/bash -vx /root/iptables 2>&1

/bin/bash -vx /root/iptables 2>&1

#!/bin/bash

iptables -v -F;
+ iptables -v -F
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `port-scan'
iptables -v -A INPUT -i lo -j ACCEPT;
+ iptables -v -A INPUT -i lo -j ACCEPT
ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0

########### BASIC RULE SET #############
iptables -v -P INPUT DROP # Default Policy DROP
+ iptables -v -P INPUT DROP
iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; # ACCEPT ESTABLISHED
+ iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED

########### DROP SPOOFED PACKETS ###############
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP --log-level 4 --log-prefix "SPOOF PACKETS"
+ iptables -A INPUT -s 127.0.0.0/8 '!' -i lo -j DROP --log-level 4 --log-prefix 'SPOOF PACKETS'
iptables v1.4.9: unknown option `--log-level'
Try `iptables -h' or 'iptables --help' for more information.

########### LOG/DROP NEW CONNECTIONS ##############
iptables -A INPUT -p tcp -m state --state NEW -j LOG # LOG NEW TCP CONNECTIONS
+ iptables -A INPUT -p tcp -m state --state NEW -j LOG
iptables -A INPUT -p tcp -m state --state NEW -j DROP # BLOCK NEW TCP CONNECTIONS
+ iptables -A INPUT -p tcp -m state --state NEW -j DROP

########### LOG/DROP SSH AND SEDMAIL ##############
iptables -v -A INPUT -p tcp -s 0/0 --dport 22 -j LOG # LOG SSH ATTEMPTS
+ iptables -v -A INPUT -p tcp -s 0/0 --dport 22 -j LOG
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:22 LOG flags 0 level 4
iptables -v -A INPUT -p tcp -s 0/0 --dport 22 -j DROP # BLOCK SSH
+ iptables -v -A INPUT -p tcp -s 0/0 --dport 22 -j DROP
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:22
iptables -v -A INPUT -p tcp -s 0/0 --dport 25 -j LOG # LOG SENDMAIL
+ iptables -v -A INPUT -p tcp -s 0/0 --dport 25 -j LOG
LOG tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 4
iptables -v -A INPUT -p tcp -s 0/0 --dport 25 -j DROP # BLOCK SENDMAIL
+ iptables -v -A INPUT -p tcp -s 0/0 --dport 25 -j DROP
DROP tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:25

########### INPUT THAT IS NEEDED #################
iptables -v -A INPUT -m state -m tcp --proto tcp --dport 80 --state NEW -j ACCEPT; # HTTP
+ iptables -v -A INPUT -m state -m tcp --proto tcp --dport 80 --state NEW -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:80
iptables -v -A INPUT -m state -m udp --proto udp --dport 53 --state NEW -j ACCEPT; # DNS
+ iptables -v -A INPUT -m state -m udp --proto udp --dport 53 --state NEW -j ACCEPT
ACCEPT udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW udp dpt:53
iptables -v -A INPUT -m state -m tcp --proto tcp --dport 53 --state NEW -j ACCEPT; # DNS
+ iptables -v -A INPUT -m state -m tcp --proto tcp --dport 53 --state NEW -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW tcp dpt:53

########### BLOCK SYN FLOOD ######################
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "SYN DROP"
+ iptables -A INPUT -i eth0 -p tcp '!' --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix 'SYN DROP'
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
+ iptables -A INPUT -i eth0 -p tcp '!' --syn -m state --state NEW -j DROP

########### DENY FRAGMENT PACKETS ###############
iptables -A INPUT -i eth0 -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FRAG DROP"
+ iptables -A INPUT -i eth0 -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix 'FRAG DROP'
iptables -A INPUT -i eth0 -f -j DROP
+ iptables -A INPUT -i eth0 -f -j DROP

########### DROPS BAD PACKETS ###############
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP

iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL DROP"
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix 'NULL DROP'
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP

iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS DROP"
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix 'XMAS DROP'
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FIN DROP"
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix 'FIN DROP'
iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -j DROP

iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+ iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

########### LIMIT PING ATTEMPTS ###################
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
+ iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

########### BLOCK CERTAIN ICMP ###################
iptables -v -A INPUT -p icmp -j ACCEPT # ACCEPT ICMP PACKETS
+ iptables -v -A INPUT -p icmp -j ACCEPT
ACCEPT icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
iptables -v -A INPUT -p icmp --icmp-type echo-request -j DROP # BLOCK ICMP ECHO
+ iptables -v -A INPUT -p icmp --icmp-type echo-request -j DROP
DROP icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 8

########## PORTSCAN RULE SETUP ###################
iptables -N port-scan # BEGIN PORTSCAN RULES
+ iptables -N port-scan
iptables: Chain already exists.
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN #BLOCK PSCAN
+ iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j LOG --log-level 4 --log-prefix "PORT SCAN" # LOG PORT SCAN
+ iptables -A port-scan -j LOG --log-level 4 --log-prefix 'PORT SCAN'
iptables -A port-scan -j DROP # DROP PORT SCAN
+ iptables -A port-scan -j DROP


iptables -v -A INPUT -j REJECT; # REJECT EVERYTHING ELSE
+ iptables -v -A INPUT -j REJECT
REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable


######## OUTPUT FOR SERVICES NEEDED ########

iptables -v -P OUTPUT ACCEPT # Default Policy Accept
+ iptables -v -P OUTPUT ACCEPT
iptables -v -A OUTPUT -o lo -j ACCEPT;
+ iptables -v -A OUTPUT -o lo -j ACCEPT
ACCEPT all opt -- in * out lo 0.0.0.0/0 -> 0.0.0.0/0
iptables -v -A OUTPUT -o eth0 -j ACCEPT;
+ iptables -v -A OUTPUT -o eth0 -j ACCEPT
ACCEPT all opt -- in * out eth0 0.0.0.0/0 -> 0.0.0.0/0
iptables -v -A OUTPUT -m tcp --proto tcp --dport 80 -j ACCEPT; # HTTP
+ iptables -v -A OUTPUT -m tcp --proto tcp --dport 80 -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80
iptables -v -A OUTPUT -m tcp --proto tcp --dport 443 -j ACCEPT; # HTTPS
+ iptables -v -A OUTPUT -m tcp --proto tcp --dport 443 -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:443
iptables -v -A OUTPUT -m tcp --proto tcp --dport 445 -j ACCEPT; # SMB
+ iptables -v -A OUTPUT -m tcp --proto tcp --dport 445 -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:445
iptables -v -A OUTPUT -m tcp --proto tcp --dport 53 -j ACCEPT; # DNS
+ iptables -v -A OUTPUT -m tcp --proto tcp --dport 53 -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:53
iptables -v -A OUTPUT -m udp --proto udp --dport 53 -j ACCEPT; # DNS
+ iptables -v -A OUTPUT -m udp --proto udp --dport 53 -j ACCEPT
ACCEPT udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:53
iptables -v -A OUTPUT -m tcp --proto tcp --dport 5222 -j ACCEPT; #Google Talk or Jabber
+ iptables -v -A OUTPUT -m tcp --proto tcp --dport 5222 -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:5222
iptables -v -A OUTPUT -m tcp --proto tcp --dport 5050 -j ACCEPT; #Yahoo
+ iptables -v -A OUTPUT -m tcp --proto tcp --dport 5050 -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:5050
iptables -v -A OUTPUT -m tcp --proto tcp --dport 6667 -j ACCEPT; #IRC
+ iptables -v -A OUTPUT -m tcp --proto tcp --dport 6667 -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:6667
iptables -v -A OUTPUT -m tcp --proto tcp --dport 7777 -j ACCEPT; #Jabber file Transfers
+ iptables -v -A OUTPUT -m tcp --proto tcp --dport 7777 -j ACCEPT
ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:7777
iptables -v -A OUTPUT -j REJECT;
+ iptables -v -A OUTPUT -j REJECT
REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable


######### DEFAULT DROPS #######

iptables -v -P FORWARD DROP # Default Policy DROP
+ iptables -v -P FORWARD DROP
iptables -v -A FORWARD -j REJECT;
+ iptables -v -A FORWARD -j REJECT
REJECT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable


######### IPTABLES SAVE ##################

iptables-save > /tmp/iptables;
+ iptables-save

iptables-restore < /tmp/iptables;
+ iptables-restore

/etc/init.d/iptables save
+ /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]


as far as rsyslog.conf

cat /etc/rsyslog.conf
#rsyslog v3 config file

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

#### MODULES ####

$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp.so
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

kern.* /var/log/iptables.log


The rest of rsyslog.conf is all original the only line i edited is the kern.* /var/log/iptables.log

Thank you again for your response.

Last edited by BlackHawk; 05-16-2011 at 11:20 PM. Reason: format for readability
 
Old 05-16-2011, 11:14 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Thanks for posting. Adding output of running '/bin/bash -vx /path/to/script 2>&1' makes it easier to see where things go wrong and adding rsyslog.conf could help too (adding a line "kern.warn[respect TABS just in case]/path/to/logfile" and restarting rsyslogd fills my log OK). Please (edit previous post and) post in BB code tags as it improves readability.
 
Old 05-16-2011, 11:23 PM   #6
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Original Poster
Rep: Reputation: 1
okay i hope you see that i edited my response with the outputs that you requested.

If there is any other output you might need please let me know and i will provide it for you no problem.

Thanks again.
 
Old 05-17-2011, 12:15 AM   #7
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Original Poster
Rep: Reputation: 1
unSPAWN when i try switching from kern.* to kern.warn in rsyslog.conf i don't see that kernel logging started in /var/log/iptables.log

i know that i should be using kern.warn because my iptables are using the rule set --log-level 4 which is warn but when i run rsyslog.conf i get this output:

May 16 21:02:30 BlackHawk kernel: imklog 4.6.3, log source = /proc/kmsg started

when i switch to kern.warn in rsyslog.conf and restart rsyslog i get this output in /var/log/iptables.log

May 16 21:00:49 BlackHawk kernel: Kernel logging (proc) stopped.


so i dont know why when i switch the two options why kernel logging starts and the other stops is beyond me i thought they should both work but it seems like only the option kern.* works

As always, thank you.
 
Old 05-17-2011, 02:35 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Quote:
Originally Posted by BlackHawk View Post
Code:
#!/bin/bash

iptables -v -F;
+ iptables -v -F
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `port-scan'
iptables -v -A INPUT -i lo -j ACCEPT;
+ iptables -v -A INPUT -i lo -j ACCEPT
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  

########### BASIC RULE SET #############
iptables -v -P INPUT DROP # Default Policy DROP
+ iptables -v -P INPUT DROP
iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; # ACCEPT ESTABLISHED
+ iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED 

###########  DROP SPOOFED PACKETS  ###############
iptables -A INPUT -s 127.0.0.0/8 ! -i lo  -j DROP --log-level 4 --log-prefix "SPOOF PACKETS" <-- this here
iptables v1.4.9: unknown option `--log-level'
Try `iptables -h' or 'iptables --help' for more information.
I hope you see now.


Quote:
Originally Posted by BlackHawk View Post
Code:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

kern.*    /var/log/iptables.log
Try something like:
Code:
kern.warn    /var/log/iptables.log
kern.warn ~
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
 
1 members found this post helpful.
Old 05-17-2011, 12:58 PM   #9
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Original Poster
Rep: Reputation: 1
okay i edited /etc/rsyslog.conf to add the following...

kern.warn /var/log/firewall.log (tried a new file)
kern.warn ~

and firewall.log was created only after waiting awhile and testing some scans on my box and ping etc etc firewall.log remains empty.

i know that i should be using the kern.warn inside rsyslog.conf because i am using --log-level 4 options in my iptables rule set...

i just don't have any idea why this log file remains empty?

oh and for that iptables rule line its obvious now that i forgot the -j LOG part so thank you for pointing that out.

The logging issue is just really giving me a hard time i hope someone can help.

Last edited by BlackHawk; 05-17-2011 at 05:56 PM.
 
Old 05-17-2011, 03:42 PM   #10
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Original Poster
Rep: Reputation: 1
What i am wondering is could it be that the reason that iptables is not logging any data is because of the way that my rules are setup. Could it be that packets are getting DROP before they reach a rule that has a logging option. When i run nmap scans however, my snort ids catches these scans and puts them into my snort log file. So why wouldn't iptables be able to log these same things...?

Here is an example output from snort catching a xmas scan:
[**] [1:1228:7] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}

What i don't get is why is snort catching this and iptables has a xmas log and drop rule and when i get this output in my snort log file i get nothing in my firewall log. Like i stated earlier is that i think maybe my setup is okay as far as rsyslog.conf however, now i what i am wondering is maybe iptables isn't logging anything because there is nothing to log. I am not aware of how i can test these rules myself from my computer to see if iptables is logging. Would nmap generate the packets i need to test the log options or would i need a packet injection tool such as genesis, and if i do need something like genesis could someone tell me how to use it so that i could test these log rules i have with iptables. I have tried things such as 'ping' and 'traceroute' on my box from another network and those things are blocked my iptables yet my log file /var/log/firewall.log recieves no data. This is now beyond my understand so if anyone has any insight please enlighten me.

As always thank you for your time and help.

Last edited by BlackHawk; 05-17-2011 at 06:14 PM.
 
Old 05-17-2011, 08:39 PM   #11
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Original Poster
Rep: Reputation: 1
okay here is the situation now....

when i added this simple rule to test iptables i actually recieved data into my /var/log/firewall.log log file!!!

iptables -vI INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -p icmp -j LOG --log-prefix "LOG test: "

this was the first rule into my script.

then what i did is this ping -c2 127.0.0.1

and when i did 'cat /var/log/firewall.log' i got this:

May 17 17:06:00 BlackHawk kernel: [598015.018034] LOG test:IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=18830 SEQ=1
May 17 17:06:00 BlackHawk kernel: [598015.018081] LOG test:IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=41279 PROTO=ICMP TYPE=0 CODE=0 ID=18830 SEQ=1
May 17 17:06:01 BlackHawk kernel: [598016.018106] LOG test:IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=18830 SEQ=2
May 17 17:06:01 BlackHawk kernel: [598016.018156] LOG test:IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=41280 PROTO=ICMP TYPE=0 CODE=0 ID=18830 SEQ=2

i was so happy to see log data into my log file so i know that rsyslog is working, so now i know that it has to be my rules. Since my input policy is to drop and since that test rule was the first rule in my script obviously iptables had a match so the data was logged. So now what i need to know is do i need to switch some rules around in my script so the log rules work. I am really confused about what may need to be switched around our altered. If anyone could help please i feel so close to solving this!

Thank you.
 
Old 05-18-2011, 01:42 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Your -j LOG rules precede the -j DROP rules and that's how it should be. (Test it by temporarily adding a rule like "iptables -v -A INPUT -m state --state RELATED,ESTABLISHED -j LOG --log-prefix 'ACCEPT ';" should show.) but realize that (apart from -j LOG or -j RETURN targets) a packet leaves the chain if it matches a filter. Also "detecting" spoofing, SYN floods, etc should be done before the "regular" ACCEPT or DROP rules.
 
Old 05-18-2011, 10:40 AM   #13
BlackHawk
Member
 
Registered: Mar 2011
Location: Southern California
Distribution: Fedora 14
Posts: 59

Original Poster
Rep: Reputation: 1
okay by adding that rule my firewall.log file filled up pretty quick...

so i am going to go with that the reason that nothing was being logged is because iptables wasn't receiving a match for the rules i have specified to be logged. I am hoping that i am configuring iptables right by first starting off with a policy for input to be dropped. Then have the log then drop rules i want, example: LOG "XMAS:" then DROP and then after that have everything else rejected with 'iptables -v -A INPUT -j REJECT'. Well thank you for all your help unSpawn, you really have been great.

Linux wouldn't be Linux without all you

Thank you again.
 
Old 05-19-2011, 05:26 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
You're welcome.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall log file, how to make several different log files with IPTables? newtovanilla Linux - Newbie 5 11-28-2008 01:39 PM
a command or way to log time of iptables LOG entries? dividingbyzero Linux - Security 3 06-06-2008 02:23 AM
Deleted /var/log/messages, can't log any files-iptables chingyenccy Linux - Newbie 7 02-27-2005 05:03 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
iptables, changing log file from /var/log/messages acid2000 Linux - Networking 3 03-11-2003 09:38 PM


All times are GMT -5. The time now is 12:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration