iptables -creating logs
I am wanting to log all requests coming from inside my iptables firewall but cant seem to get it working.
How would I do this? Preperably I would like to export it all to an external file. Thanks Chris |
Use LOG target rules before applying a verdict to a packet.
|
Remember, you are going to get a LOT of packets by doing that. Here is the syntax:
/sbin/iptables -A INPUT -j LOG -s $ANYWHERE -d $ANYWHERE --log-prefix ' Mwhahaha ' You would need something like that in your FORWARD and OUTPUT chains as well. You might want to add a limit match on that to keep your log files for getting too huge. |
thanks schagnot i will give that a shot... how to do the limit match?
Chris |
You put something like -m limit --limit 3/hour in the logging rule. 3/hour is the default, but do whatever you think is appropriate; other suffices are `/second', `/minute', `/hour', or `/day' (directly from the man page ;))
|
Chris,
Here is the log example from my INPUT chain that I am using. It is using the limit match with the burst option: /sbin/iptables -A INPUT -j LOG -s $ANYWHERE -d $ANYWHERE -m limit --limit 3/minute --limit-burst 3 --log-level DEBUG --log-prefix ' ##INPUT DENY LOG## ' This will allow three log messages per minute with a quick burst of 3. In other words, the first minute will log 6 and then 3 from that moment on. You might think "Hey that is not a lot of log messages, won't I lose out on valuable information?". The limit match should only limit redundant packets. In other words, if you get 1 packet from 500 different machines, you will get 500 log messages even if that is in one minute. If you get one machine probing 500 ports in 1 minute, you should get one LOG from each attempt (for each different port). If you have one machine trying to get at the same port 500 times, you will only see 6 the first minute and then 3 for every minute after that. Hope this helps! |
All times are GMT -5. The time now is 04:12 PM. |