I am wanting to log all requests coming from inside my iptables firewall but cant seem to get it working.

How would I do this?

Preperably I would like to export it all to an external file.

Thanks
Chris

Use LOG target rules before applying a verdict to a packet.

Remember, you are going to get a LOT of packets by doing that. Here is the syntax:

/sbin/iptables -A INPUT -j LOG -s $ANYWHERE -d $ANYWHERE --log-prefix ' Mwhahaha '

You would need something like that in your FORWARD and OUTPUT chains as well. You might want to add a limit match on that to keep your log files for getting too huge.

thanks schagnot i will give that a shot... how to do the limit match?

Chris

You put something like -m limit --limit 3/hour in the logging rule. 3/hour is the default, but do whatever you think is appropriate; other suffices are `/second', `/minute', `/hour', or `/day' (directly from the man page )

Chris,

Here is the log example from my INPUT chain that I am using. It is using the limit match with the burst option:

/sbin/iptables -A INPUT -j LOG -s $ANYWHERE -d $ANYWHERE -m limit --limit 3/minute --limit-burst 3 --log-level DEBUG --log-prefix ' ##INPUT DENY LOG## '

This will allow three log messages per minute with a quick burst of 3. In other words, the first minute will log 6 and then 3 from that moment on.

You might think "Hey that is not a lot of log messages, won't I lose out on valuable information?". The limit match should only limit redundant packets. In other words, if you get 1 packet from 500 different machines, you will get 500 log messages even if that is in one minute. If you get one machine probing 500 ports in 1 minute, you should get one LOG from each attempt (for each different port). If you have one machine trying to get at the same port 500 times, you will only see 6 the first minute and then 3 for every minute after that.

Hope this helps!