Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
11-21-2005, 09:19 AM
|
#1
|
|
Member
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 370
Rep: 
|
Iptables Logging
Hi all,
I am in need of a quick tutorial on adding iptables logging to my existing rules. I haven't found a clear distinct description on how to do basic logging.
Can anyone help or point me in the right direction.
So far all I have done is "modprobe ipt_LOG"
|
|
|
|
|
11-21-2005, 10:27 AM
|
#2
|
|
Member
Registered: May 2003
Posts: 167
Rep:
|
At the very end of my firewall script, I have
Code:
# Log the rest of the incoming messages (all of which are dropped)
# with a maximum of 15 log entries per minute
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
# Reject any packets that do not meet the specified criteria
/sbin/iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
In /etc/syslog.conf, I have
Code:
kern.=debug /var/log/firewall
The "log-level" specified in my firewall script is the "debug" level, so the syslog.conf file reflects this fact and sets up the file /var/log/firewall to capture all of these messages. You have to issue a "/sbin/service syslog restart", and then the file "/var/log/firewall" will appear, and will quickly start filling up. The "Dropped by firewall: " prefix is something I use to separate the firewall entries from the other (though very few) entries that inevitably get assigned the debug level. |
|
|
|
|
11-21-2005, 11:40 AM
|
#3
|
|
Member
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 370
Original Poster
Rep:
|
You are the Man!!!!! or Woman!!!!
Works great!!! Thank you.... You made it very simple 
Now with this setup will I be able to keep my /var/log partition from filling up if some "Not so nice person" decides to:
ping -c 400000 "myip" |
|
|
|
|
11-23-2005, 12:28 PM
|
#4
|
|
Member
Registered: May 2003
Posts: 167
Rep:
|
I'm glad to hear it worked. (Oh, and "Man", by the way.) |
|
|
|
|
12-15-2005, 04:02 AM
|
#5
|
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
You can also set up rules this way as well, just create the chain then send the packets too it, this way it's easy to change only a couple of variables rather than having to go through the whole script.
LOGLIMIT="2/s"
LOGLIMITBURST="10"
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "TCP LOGDROP: "
$IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "UDP LOGDROP: "
$IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "ICMP LOGDROP: "
$IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "FRAGMENT LOGDROP: "
$IPTABLES -A LOGDROP -j DROP
$IPTABLES -A INPUT -p icmp -i eth0 -j LOGDROP
$IPTABLES -A INPUT -p tcp -i eth0 -j LOGDROP
$IPTABLES -A INPUT -p udp -i eth0 -j LOGDROP
|
|
|
|
|
12-23-2005, 01:01 PM
|
#6
|
|
Member
Registered: Oct 2003
Location: King George, VA
Distribution: RHEL/CentOS/Scientific/Fedora, LinuxMint
Posts: 370
Original Poster
Rep:
|
That is an easy way of doing it I see..Just define variables in the beginning and no need to re-enter values in each rule....
This is good stuff all
Thank you very much |
|
|
|
|
12-23-2005, 06:56 PM
|
#7
|
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Quote:
|
Originally Posted by doublejoon
That is an easy way of doing it I see..Just define variables in the beginning and no need to re-enter values in each rule....
This is good stuff all
Thank you very much |
Happy you found it useful. One thing to note as well is the logging prefix:
--log-prefix "TCP LOGDROP: "
Only takes I think, a maximum of 29 characters if memory serves my right. |
|
|
|
|
01-08-2006, 04:49 AM
|
#8
|
|
Member
Registered: Aug 2005
Distribution: Debian, Ubuntu, Fedora
Posts: 74
Rep:
|
Quote:
|
Originally Posted by Mad Scientist
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
|
Quote:
|
Originally Posted by fotoguy
$IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "TCP LOGDROP: "
$IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "UDP LOGDROP: "
$IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "ICMP LOGDROP: "
$IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "FRAGMENT LOGDROP: "
$IPTABLES -A LOGDROP -j DROP
|
this is a very useful LOG tutorial, but
I am wondering what is the benefit from putting "-m limit --limit 15/minute" in the log rule ??
Thanks |
|
|
|
|
01-09-2006, 04:20 AM
|
#9
|
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Not sure the use of the 15/minute rather a long time, I prefer a much shorter time. But the idea is to limit the amount of logging so you don't fill your logs up. If there is no limit to reach log files can grow by quite a few MB's in a day. You will also be tying up lots of processing power writing logs 24/7, if the same ip-address keeps hammering you, there is little sense in loging it all, you only need a small amount to see the pattern and record it.
|
|
|
|
All times are GMT -5. The time now is 07:08 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
