[SOLVED] iptables floods syslog

neymac · 10-21-2010, 06:07 PM

My iptables rules floods syslog, and although I changed syslog.conf to send the kern.warning to another file, the warning messages from iptables keep going to syslog and the to new file as well.
Is there any way to avoid send the iptables warnings to syslog?

My iptables rules are:

Code:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOG        udp  --  anywhere             anywhere            udp dpts:0:1023 LOG level warning 
LOG        tcp  --  anywhere             anywhere            tcp dpts:0:1023 LOG level warning 
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023 
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
DROP       icmp --  anywhere             anywhere            icmp echo-request 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

My syslog grows fast and to clean it I create the script:
/etc/rc.d/rc.local_shutdown

Code:

#!/bin/sh
sed -i '/PROTO=/d' /var/log/syslog

which removes the lines sent by iptables warnings.

syslog sample:

Oct 21 21:00:12 darkstar kernel: IN=ppp0 OUT= MAC= SRC=71.138.27.173 DST=200.220.193.5 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=46081 DF PROTO=TCP SPT=65389 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:13 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=43583 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:15 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=17711 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:15 darkstar kernel: IN=ppp0 OUT= MAC= SRC=208.124.139.212 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=15529 DF PROTO=TCP SPT=43276 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 21 21:00:16 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=57896 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:18 darkstar kernel: IN=ppp0 OUT= MAC= SRC=208.124.139.212 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=15832 DF PROTO=TCP SPT=43276 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=71.138.27.173 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=46517 DF PROTO=TCP SPT=65389 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=86.156.37.129 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=45 ID=37782 DF PROTO=TCP SPT=54123 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=81.99.172.151 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=11512 DF PROTO=TCP SPT=55610 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0

My syslog was 681Mb, filled with the iptables warnings (before the script above).
I'd like sugestions to solve this issue without the rc.local_shutdown script.

By the way I'm using Slackware64-13.1 and compiled sysklog-1.5 from the Slackware64-current, and the same issue happens.

tuxrules · 10-21-2010, 06:58 PM

Code:

LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning

This is logging anything that comes through with SYN flag set and FIN,RST,ACK unset. Basically any new tcp connection attempt to your machine is logged. Looks like you have some torrents (port 6881) going on...which will flood your logs. You can adjust the logging level or use the limit module to tweak logging intervals. see man iptables.

neymac · 10-21-2010, 08:07 PM

Thanks, tuxrules.

I removed all LOG rules from iptables and the flood of syslog stopped.

***I edited the file /etc/ppp/firewall-standalone and commented the lines with "LOG"