LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-11-2004, 07:50 PM   #1
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
iptables -creating logs


I am wanting to log all requests coming from inside my iptables firewall but cant seem to get it working.

How would I do this?

Preperably I would like to export it all to an external file.

Thanks
Chris
 
Old 02-12-2004, 02:29 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Use LOG target rules before applying a verdict to a packet.
 
Old 02-12-2004, 03:27 PM   #3
schagnot
LQ Newbie
 
Registered: Feb 2004
Location: Connecticut
Distribution: RedHat, Debian, Fedora
Posts: 4

Rep: Reputation: 0
Remember, you are going to get a LOT of packets by doing that. Here is the syntax:

/sbin/iptables -A INPUT -j LOG -s $ANYWHERE -d $ANYWHERE --log-prefix ' Mwhahaha '

You would need something like that in your FORWARD and OUTPUT chains as well. You might want to add a limit match on that to keep your log files for getting too huge.
 
Old 02-12-2004, 07:27 PM   #4
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Original Poster
Rep: Reputation: 30
thanks schagnot i will give that a shot... how to do the limit match?

Chris
 
Old 02-12-2004, 08:03 PM   #5
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
You put something like -m limit --limit 3/hour in the logging rule. 3/hour is the default, but do whatever you think is appropriate; other suffices are `/second', `/minute', `/hour', or `/day' (directly from the man page )
 
Old 02-13-2004, 07:17 AM   #6
schagnot
LQ Newbie
 
Registered: Feb 2004
Location: Connecticut
Distribution: RedHat, Debian, Fedora
Posts: 4

Rep: Reputation: 0
Chris,

Here is the log example from my INPUT chain that I am using. It is using the limit match with the burst option:

/sbin/iptables -A INPUT -j LOG -s $ANYWHERE -d $ANYWHERE -m limit --limit 3/minute --limit-burst 3 --log-level DEBUG --log-prefix ' ##INPUT DENY LOG## '

This will allow three log messages per minute with a quick burst of 3. In other words, the first minute will log 6 and then 3 from that moment on.

You might think "Hey that is not a lot of log messages, won't I lose out on valuable information?". The limit match should only limit redundant packets. In other words, if you get 1 packet from 500 different machines, you will get 500 log messages even if that is in one minute. If you get one machine probing 500 ports in 1 minute, you should get one LOG from each attempt (for each different port). If you have one machine trying to get at the same port 500 times, you will only see 6 the first minute and then 3 for every minute after that.

Hope this helps!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Seperating IPTABLES Logs TheRealDeal Linux - Security 5 02-26-2005 08:51 AM
help me understanding iptables logs ddaas Linux - Security 1 02-23-2005 09:08 AM
iptables logs ddaas Linux - Security 1 01-20-2005 08:26 AM
Creating on the command logs for users aliwerd Linux - General 3 06-25-2003 07:43 AM
iptables logs and 1 other thing phil1076 Linux - General 5 12-08-2001 07:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration