LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-21-2010, 06:07 PM   #1
neymac
Member
 
Registered: May 2009
Distribution: Slackware64-14.0
Posts: 116

Rep: Reputation: 12
iptables floods syslog


My iptables rules floods syslog, and although I changed syslog.conf to send the kern.warning to another file, the warning messages from iptables keep going to syslog and the to new file as well.
Is there any way to avoid send the iptables warnings to syslog?

My iptables rules are:

Code:
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOG        udp  --  anywhere             anywhere            udp dpts:0:1023 LOG level warning 
LOG        tcp  --  anywhere             anywhere            tcp dpts:0:1023 LOG level warning 
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023 
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
DROP       icmp --  anywhere             anywhere            icmp echo-request 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
My syslog grows fast and to clean it I create the script:
/etc/rc.d/rc.local_shutdown
Code:
#!/bin/sh
sed -i '/PROTO=/d' /var/log/syslog
which removes the lines sent by iptables warnings.

syslog sample:

Oct 21 21:00:12 darkstar kernel: IN=ppp0 OUT= MAC= SRC=71.138.27.173 DST=200.220.193.5 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=46081 DF PROTO=TCP SPT=65389 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:13 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=43583 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:15 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=17711 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:15 darkstar kernel: IN=ppp0 OUT= MAC= SRC=208.124.139.212 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=15529 DF PROTO=TCP SPT=43276 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 21 21:00:16 darkstar kernel: IN=ppp0 OUT= MAC= SRC=205.250.180.252 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=57896 DF PROTO=TCP SPT=59158 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:18 darkstar kernel: IN=ppp0 OUT= MAC= SRC=208.124.139.212 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=15832 DF PROTO=TCP SPT=43276 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=71.138.27.173 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=46517 DF PROTO=TCP SPT=65389 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=86.156.37.129 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=45 ID=37782 DF PROTO=TCP SPT=54123 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 21:00:19 darkstar kernel: IN=ppp0 OUT= MAC= SRC=81.99.172.151 DST=200.220.193.5 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=11512 DF PROTO=TCP SPT=55610 DPT=6881 WINDOW=8192 RES=0x00 SYN URGP=0


My syslog was 681Mb, filled with the iptables warnings (before the script above).
I'd like sugestions to solve this issue without the rc.local_shutdown script.

By the way I'm using Slackware64-13.1 and compiled sysklog-1.5 from the Slackware64-current, and the same issue happens.

Last edited by neymac; 10-21-2010 at 06:16 PM.
 
Old 10-21-2010, 06:58 PM   #2
tuxrules
Senior Member
 
Registered: Jun 2004
Location: Chicago
Distribution: Slackware64 14.1
Posts: 1,141

Rep: Reputation: 55
Code:
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
This is logging anything that comes through with SYN flag set and FIN,RST,ACK unset. Basically any new tcp connection attempt to your machine is logged. Looks like you have some torrents (port 6881) going on...which will flood your logs. You can adjust the logging level or use the limit module to tweak logging intervals. see man iptables.
 
Old 10-21-2010, 08:07 PM   #3
neymac
Member
 
Registered: May 2009
Distribution: Slackware64-14.0
Posts: 116

Original Poster
Rep: Reputation: 12
Thanks, tuxrules.

I removed all LOG rules from iptables and the flood of syslog stopped.

***I edited the file /etc/ppp/firewall-standalone and commented the lines with "LOG"

Last edited by neymac; 10-23-2010 at 08:51 AM.
 
  


Reply

Tags
firewall, iptables, syslog


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Iptables not logging to Syslog ultima789 Linux - Software 1 08-06-2010 02:47 AM
iptables log file and syslog Ammad Linux - General 5 09-17-2009 03:39 AM
syslog-ng no iptables at central logserver saavik Linux - Server 0 10-20-2008 09:42 AM
syslog.conf rule for iptables nekkutta Linux - Software 1 03-26-2008 01:35 PM
syslog, iptables, and customizing the output JFoster Linux - General 0 11-29-2003 01:12 AM


All times are GMT -5. The time now is 10:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration