LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Logging with Iptables does not work (https://www.linuxquestions.org/questions/linux-security-4/logging-with-iptables-does-not-work-755577/)

Psystorm 09-16-2009 05:50 AM
Logging with Iptables does not work
 
Hello!

I'm trying to set up a firewall that logs all dropped packets, but I can't get it working. For troubleshooting I installed a fresh ubuntu-9.04-i386-minimal image from my hoster and edited the syslog.conf, so that it logs everything into one logfile:
Code:
*.* /var/log/everything.log
After that I restartet sysklogd and added this rule to the iptables input chain:
Code:
iptables -A INPUT -j LOG
I now generate some incoming traffic by pinging from another computer (and also with the ssh connection with which I'm connected to the server), however this does not show up in the log file:
Code:
Sep 16 12:19:27 vs24029 syslogd 1.5.0#5ubuntu3: restart.
Iptables tells, that it has packets matching the rule:
Code:
Chain INPUT (policy ACCEPT 888 packets, 540K bytes)
 pkts bytes target    prot opt in    out    source              destination
  63  4476 LOG        all  --  any    any    anywhere            anywhere            LOG level warning

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 759 packets, 74938 bytes)
 pkts bytes target    prot opt in    out    source              destination
And with dmesg I get the following:
Code:
[3542423.358689] IN=venet0 OUT=
Thanks for the help.
Psystorm

centosboy 09-16-2009 05:55 AM
Quote:
Originally Posted by Psystorm (Post 3684865)
Hello!

I'm trying to set up a firewall that logs all dropped packets, but I can't get it working. For troubleshooting I installed a fresh ubuntu-9.04-i386-minimal image from my hoster and edited the syslog.conf, so that it logs everything into one logfile:
Code:
*.* /var/log/everything.log
After that I restartet sysklogd and added this rule to the iptables input chain:
Code:
iptables -A INPUT -j LOG
I now generate some incoming traffic by pinging from another computer (and also with the ssh connection with which I'm connected to the server), however this does not show up in the log file:
Code:
Sep 16 12:19:27 vs24029 syslogd 1.5.0#5ubuntu3: restart.
Iptables tells, that it has packets matching the rule:
Code:
Chain INPUT (policy ACCEPT 888 packets, 540K bytes)
 pkts bytes target    prot opt in    out    source              destination
  63  4476 LOG        all  --  any    any    anywhere            anywhere            LOG level warning

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 759 packets, 74938 bytes)
 pkts bytes target    prot opt in    out    source              destination
And with dmesg I get the following:
Code:
[3542423.358689] IN=venet0 OUT=
Thanks for the help.
Psystorm
how my iptables logs.


Code:

-A LOG_DROP -j LOG --log-prefix "dropped packet" --log-level debug
-A LOG_DROP -j DROP
just note the --log-level debug

then in the syslog.conf

Code:
# Send iptables LOGDROPs to /var/log/iptables
kern.=debug                                            /var/log/iptables

catch kernel debug messages.

Psystorm 09-16-2009 06:19 AM
Okay I now tried to set up my iptables and sysklogd as yours:
Code:
iptables -F
iptables -X

iptables -N log_drop
iptables -A log_drop -j LOG --log-prefix "dropped packet" --log-level debug
iptables -A INPUT -j log_drop
Code:
kern.=debug /var/log/iptables
*.* /var/log/everything.log
For some reason iptables still doesn't log anything to /var/log/iptables or /var/log/everything.log. Logging in general is working since other entries are created in the /var/log/everything.log.

centosboy 09-16-2009 06:27 AM
Quote:
Originally Posted by Psystorm (Post 3684909)
Okay I now tried to set up my iptables and sysklogd as yours:
Code:
iptables -F
iptables -X

iptables -N log_drop
iptables -A log_drop -j LOG --log-prefix "dropped packet" --log-level debug
iptables -A INPUT -j log_drop
Code:
kern.=debug /var/log/iptables
*.* /var/log/everything.log
For some reason iptables still doesn't log anything to /var/log/iptables or /var/log/everything.log. Logging in general is working since other entries are created in the /var/log/everything.log.

did you restart syslog and iptables?

Psystorm 09-16-2009 06:34 AM
I restarted sysklogd and reseted iptables with
Code:
iptables -F
iptables -X

centosboy 09-16-2009 06:42 AM
Quote:
Originally Posted by Psystorm (Post 3684936)
I restarted sysklogd and reseted iptables with
Code:
iptables -F
iptables -X

ok, but packet counter is still increasing for the log_drop rule???
any logs collected in dmesg?

Psystorm 09-16-2009 06:50 AM
The packet counter is increasing and dmesg now gives the following:
Code:
[3544900.127112] BUG: recent printk recursion!
[3544900.127291] BUG: recent printk recursion!
I also tried restarting the klogd, but it does not continue when starting it again and creates the following error log messages:
Code:
Sep 16 13:45:35 vs24029 kernel: Cannot find map file.
Sep 16 13:45:35 vs24029 kernel: No module symbols loaded - kernel modules not enabled.
I'm investigating on those at the moment.

Psystorm 09-16-2009 09:00 AM
I finally found the problem, it is a bug in OpenVZ: http://bugzilla.openvz.org/show_bug.cgi?id=1284.

Thanks for your help!

centosboy 09-16-2009 09:03 AM
Quote:
Originally Posted by Psystorm (Post 3685145)
I finally found the problem, it is a bug in OpenVZ: http://bugzilla.openvz.org/show_bug.cgi?id=1284.

Thanks for your help!
lol...yes i seen that but didnt get around to ask if you were using openvz :)


All times are GMT -5. The time now is 09:16 AM.