IPTABLES: How do you log denied packets

blkcamarozr28 · 08-27-2006, 05:41 PM

How do you log the deny & permitted packets when using IPTABLES? From time to time I need to write custom rules so being able to see what is being denied helps a lot.

My system runs CentOS4.3 & FC1-5. Thanks!

Wilson

fotoguy · 08-27-2006, 06:16 PM

You will need to adjust these to your system and place them at the bottom of the script after your allow rules, some custom logging rules will look like this:

Code:

iptables -A INPUT -p tcp -j LOG --log-prefix "TCP LOGDROP: "
iptables -A INPUT -p udp -j LOG --log-prefix "UDP LOGDROP: "
iptables -A INPUT -p icmp -j LOG --log-prefix "ICMP LOGDROP: "
iptables -A INPUT -f -j LOG --log-prefix "FRAGMENT LOGDROP:  "
iptables -A INPUT -j DROP # make sure anything is drop after logging

These are pretty generic you may need to read up on iptables to find out how to use these rules properly

blkcamarozr28 · 08-27-2006, 08:32 PM

Thanks! Does this automatically put the logs in /var/log/messages?

fotoguy · 08-27-2006, 10:46 PM

Yes it should send all logs to /var/log/messages. Then if you want to view them you could make a cron job, or just run a script to find the logged packets and copy them to another file for easier viewing, or emailing to someone later.

Code:

#!/bin/sh
grep "TCP LOGDROP:" /var/log/messages >> /text/file/somewhere.txt
grep "UDP LOGDROP:" /var/log/messages >> /text/file/somewhere.txt
grep "ICMP LOGDROP:" /var/log/messages >> /text/file/somewhere.txt
grep "FRAGMENT LOGDROP:" /var/log/messages >> /text/file/somewhere.txt
exit 0