log everything except few

sang_froid · 12-09-2009, 11:27 AM

Hi,

I wanted to log all traffic which are going out from my server , except for some ports...

I tried with the following rule

iptables -I OUTPUT -p tcp --dport ! 80 -j LOG
iptables -I OUTPUT -p tcp --dport ! 25 -j LOG

But it is not working as expected, because, first rule logs packet destined to port 25 and second rule logs packet destined to port 80. I don't want to log packets destined to port 80 and 25. I want to however log rest packest.

How do I do that ?

colucix · 12-09-2009, 11:37 AM

You can try the multiport match extension to specify a comma separated list of multiple ports (max 15), e.g.

Code:

iptables -I OUTPUT -m multiport -p tcp --dport !25,80 -j LOG

sang_froid · 12-09-2009, 11:58 AM

I already had tried it... IT doesn't work.

Quote:

Originally Posted by colucix

You can try the multiport match extension to specify a comma separated list of multiple ports (max 15), e.g.

Code:

iptables -I OUTPUT -m multiport -p tcp --dport !25,80 -j LOG

beadyallen · 12-09-2009, 05:32 PM

One way to do it would be to create a specific LOG chain. For example:

Code:

iptables -N LOGCHAIN
iptables -A LOGCHAIN -p tcp --dport 25 -j RETURN
iptables -A LOGCHAIN -p tcp --dport 80 -j RETURN
iptables -A LOGCHAIN -p tcp -j LOG
iptables -A LOGCHAIN -j RETURN #This is the default so not really needed

Then just jump to LOGCHAIN from the INPUT chain at a suitable point:

Code:

iptables -A INPUT -j LOGCHAIN

Hope that helps.