How can I set my firewall to log all dropped(rejected) packets?

abefroman · 06-14-2005, 07:14 PM

How can I set my firewall to log all dropped(rejected) packets?

I use IP tables.

darksmiley · 06-14-2005, 07:44 PM

the way i set up my firewall was to module pretty much every single ip_tables related option in the kernel, and use firestarter as my UI to monitor packets. firestarter isnt the most powerful UI out there, but it will all get the job done and be very secure

if you need help with the kernel compilation just give me a shout!

tangle · 06-14-2005, 07:50 PM

I am not an iptables expert, but if you place LOG --logprefix "Say what you want here" at the end of the chain. That should log any attemp that the chain picked up.

mhallbiai · 06-14-2005, 07:54 PM

depending on the amount of packets you are dropping/rejecting i dont know that logging all would be a good idea.

i have a chain that i create to do the logging before sending to DROP

Code:

iptables -N dropit
iptables -A dropit -m limit --limit 15/minute -j LOG --log-prefix Dropped:
iptables -A dropit -j DROP

then you would call 'dropit' where you would normally call DROP

Code:

iptables -A INPUT -s ip/cidr-to-drop -j dropit

so the 'ip-to-drop' will come in on INPUT, jump to 'dropit' (logged at a rate of 15 per minute) and then jump to DROP

you can change the rate to whatever fits your needs

hope this helps

rickh · 06-14-2005, 09:37 PM

I use Firestarter, and have a program called LogWatch on FC3 (came with the distro), and LogCheck on Debian. Both send mail to root every day with lots of security related info including nicely summarized firewall hits. After studying them a few days, and beginning to understand the source of many of them, I am gradually telling Firestarter to quit logging some of the more common ones.