LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-17-2007, 03:25 PM   #1
pridefc
Member
 
Registered: Nov 2005
Distribution: redhat, debian, ubuntu
Posts: 47

Rep: Reputation: 15
How to log iptables traffic


Hello,

Is there a way to log all iptables traffic on all the open ports globally? And is there a good iptables log analyzer for kernel 2.6.9.x?
My iptables looks something like below (actually has many more rules):

# Generated by iptables-save v1.2.11 on Tue Mar 13 10:19:38 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:15731]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT
# Completed on Tue Mar 13 10:19:38 2007
 
Old 03-17-2007, 03:45 PM   #2
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556
You might try Googling 'firewall log monitor' and similar stuff.
I use one called fwlogwatch, which I think I got from Sourceforge.net somewhere. It can be set up to monitor for lots of different firewall/network/iptables messages, and is quite configurable. It logs alerts to a separate log file, and can email or run other scripts upon various events, etc..
I can't really say how "good" it is, but it does the job.

Are you using a firewall, or how are you implementing these iptables rules? Just like with a standalone script? You could use a firewall to do the same job, but that has a logging function built into it; that kinda works hand in hand with the log-watcher. For example, the LutelWall Firewall (I use it) is configurable to the max, uses iptables rules, plus every rule can have a log flag set, so every single event that passes thru the firewall gets logged.

I'm definitely no expert, and there are probably lots of ways to do this, but it's one idea anyhow
good luck!

Last edited by GrapefruiTgirl; 03-17-2007 at 03:48 PM.
 
Old 03-17-2007, 04:15 PM   #3
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 78
I would recommend the iptables ULOG target along with the “userspace logging daemon” (ulogd). No use cluttering the kernel log buffer with netfilter messages.
 
Old 03-26-2007, 11:09 PM   #4
pridefc
Member
 
Registered: Nov 2005
Distribution: redhat, debian, ubuntu
Posts: 47

Original Poster
Rep: Reputation: 15
Thanks. we're usin iptables rules. I'll try those suggestions a try.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how log mirror port traffic netguy2000 Linux - Networking 1 03-07-2006 06:18 PM
Loggin IP traffic to a log file brokenflea Linux - Security 1 03-30-2005 05:53 PM
Deleted /var/log/messages, can't log any files-iptables chingyenccy Linux - Newbie 7 02-27-2005 04:03 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
iptables, changing log file from /var/log/messages acid2000 Linux - Networking 3 03-11-2003 08:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration