LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables and /var/log/messages (https://www.linuxquestions.org/questions/linux-security-4/iptables-and-var-log-messages-218655/)

Obie 08-17-2004 04:34 AM

iptables and /var/log/syslog
 
Assuming I have all my policies set to drop and am attempting to access the web which would on Port 80 does iptables log this request within var/log/syslog. The reason I ask is because that helps me trace what Ports are being requested and if I need to allow it access and the same for incoming requests.

Charalambos 08-17-2004 05:19 AM

You have to set the rule to log what you want:
iptables -I OUTPUT <line-nr> -j LOG [--log-prefix "iptables HTTP-log:"]

The --log-prefix is optional, it will add before every log entry the string specified.

BlueKnight 08-17-2004 05:22 AM

No, you have to log them as well. Insert a rule, which sends the packets to LOG.

Example: iptables -a OUTPUT -j LOG

Obie 08-17-2004 02:57 PM

I assume that "iptables -A OUTPUT -j LOG" would log all outgoing packets. How do I know which are being dropped or denied?

BlueKnight 08-18-2004 12:54 AM

Quote:

How do I know which are being dropped or denied?
Well, this is totally a question of what kind of firewall setup yuo have. Basically, you should log everything that is not matched by some accept rules or just before the packets are dropped.

Example how to log all traffic to port 22:

Code:

iptables -N SOME_RULE1
iptables -A SOME_RULE1 -p tcp --dport 22 -j LOG
iptables -A SOME_RULE1 -p tcp --dport 22 -j DROP

This is of course totally up to your setup and needs.

Note: You should of course specify some type of --log-prefix "SOME TEXT HERE " in order to recognize why and where it was logged.

Obie 08-18-2004 02:02 AM

BlueKnight,

Thank you. I guess what I am looking for is something similar to Symantec's firewall where despite me not requesting to log it, it still shows me what is being dropped. e.g. If I didn't specify Port 22 to be dropped and where my default policy is to drop every connection I would like to have it logged and within the logs tell me that Port 22 has been dropped.

For example this would help me ascertain if I should allow a particular software to access the requested port. For instance on my Windows machine which has Norton firewall, it will prompt me if I wish to allow Internet Explorer to access the web on Port 80. I don't expect the same for what I am doing in command line but it would be nice if I could see the packets being logged. Hopefully I haven't been longwinded.


All times are GMT -5. The time now is 08:52 PM.