LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   iptables floods syslog (http://www.linuxquestions.org/questions/slackware-14/iptables-floods-syslog-839642/)

neymac 10-21-2010 06:07 PM
iptables floods syslog
 
My iptables rules floods syslog, and although I changed syslog.conf to send the kern.warning to another file, the warning messages from iptables keep going to syslog and the to new file as well.
Is there any way to avoid send the iptables warnings to syslog?

My iptables rules are:

Code:
# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
LOG        udp  --  anywhere            anywhere            udp dpts:0:1023 LOG level warning
LOG        tcp  --  anywhere            anywhere            tcp dpts:0:1023 LOG level warning
DROP      udp  --  anywhere            anywhere            udp dpts:0:1023
DROP      tcp  --  anywhere            anywhere            tcp dpts:0:1023
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
DROP      icmp --  anywhere            anywhere            icmp echo-request

Chain FORWARD (policy DROP)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
My syslog grows fast and to clean it I create the script:
/etc/rc.d/rc.local_shutdown
Code:
#!/bin/sh
sed -i '/PROTO=/d' /var/log/syslog
which removes the lines sent by iptables warnings.

syslog sample:

Oct 21 21:00:12 darkstar kernel: IN=ppp0 OUT= MAC= SRC=71.138.27.173 DST=200.220.193.5 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=46081 DF PROTO=TCP SPT=65389 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:13 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=43583 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:15 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=17711 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:15 darkstar kernel: IN=ppp0 OUT= MAC= SRC=208.124.139.212 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=15529 DF PROTO=TCP SPT=43276 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 21 21:00:16 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=57896 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:18 darkstar kernel: IN=ppp0 OUT= MAC= SRC=208.124.139.212 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=15832 DF PROTO=TCP SPT=43276 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=71.138.27.173 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=46517 DF PROTO=TCP SPT=65389 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=86.156.37.129 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=45 ID=37782 DF PROTO=TCP SPT=54123 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=81.99.172.151 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=11512 DF PROTO=TCP SPT=55610 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0


My syslog was 681Mb, filled with the iptables warnings (before the script above).
I'd like sugestions to solve this issue without the rc.local_shutdown script.

By the way I'm using Slackware64-13.1 and compiled sysklog-1.5 from the Slackware64-current, and the same issue happens.

tuxrules 10-21-2010 06:58 PM
Code:
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
This is logging anything that comes through with SYN flag set and FIN,RST,ACK unset. Basically any new tcp connection attempt to your machine is logged. Looks like you have some torrents (port 6881) going on...which will flood your logs. You can adjust the logging level or use the limit module to tweak logging intervals. see man iptables.

neymac 10-21-2010 08:07 PM
Thanks, tuxrules.

I removed all LOG rules from iptables and the flood of syslog stopped.

***I edited the file /etc/ppp/firewall-standalone and commented the lines with "LOG"


All times are GMT -5. The time now is 06:27 PM.