topic Re: iptables log in Operating System - Linux

iptables log

Leovino A. Trinidad, Jr — Wed, 17 Dec 2003 00:50:00 GMT

Hi to all!

How do you put the logs generated by iptables into a different file aside from the message file?

Re: iptables log

Stuart Browne — Wed, 17 Dec 2003 00:55:18 GMT

IPTables allows you to change the '--log-level' of the messages it logs.

Set it to it's own private level, modify '/etc/syslog.conf' to suit, and give it a whirl..

Re: iptables log

Ragu_1 — Wed, 17 Dec 2003 01:06:53 GMT

If you have enabled ulog support in the Linux kernel, you can log all requests to blocked sevices/ports in /var/log/ulog/syslogemu.log; but before that you have to install ulogd, the Netfilter Userspace Logging Daemon. Tracking IPs becomes more easier!

Re: iptables log

Leovino A. Trinidad, Jr — Wed, 17 Dec 2003 02:56:28 GMT

Hi Stuart!

Can you give me a sample of it?

Actually I already inserted the following in the syslog.conf and restarted it but still no data has been captured.
kern.=inf /var/log/iptables.log

sample rule:

$IPTABLES -A LPINGFLOOD -m limit --limit 1/s --limit-burst 3 -j LOG --log-level 3 --log-prefix "FW-Ping_FLOOD/DROP "

Thanks!

LAT

Re: iptables log

Stuart Browne — Wed, 17 Dec 2003 17:28:20 GMT

Does the file '/var/log/iptables.log' exist?

If memory serves, the file has to exist before it will write to it (it won't create it).. But that could be another *nix I'm thinking of.

Re: iptables log

Leovino A. Trinidad, Jr — Wed, 17 Dec 2003 20:45:33 GMT

Hi Stuart!

Yes, iptables.log was created when I added the entry in the syslog.conf and I see data when I tail the iptables.log. I guess it's working. Can you please help me confirm if this is working?

Thank you.

LAT

Re: iptables log

Steven E. Protter — Wed, 17 Dec 2003 21:25:53 GMT

tail -f location_of_iptables log

Do that in a telnet window.

Then telnet to the server or access its web server, or use a browser to access the internet.

All of these activities should instantly write to the log and scroll in the telnet/terminal window as these activities take place.

Test something thats blocked too, not everything that is open.

SEP

Re: iptables log

Stuart Browne — Wed, 17 Dec 2003 21:26:45 GMT

Err, if stuff is in there, then it's working.

You should see entries similar to:

Dec 18 13:26:04 linux kernel: FORWARD:IN=eth0 OUT=eth0 src=207.241.134.236 DST=203.219.18.112 LEN=78 TOS=0x00 PREC=0x00 TTL=107 ID=26969 PROTO=UDP SPT=1025 DPT=
137 LEN=58

but 'FORWARD:' will be 'FW-Ping_FLOOD/DROP '.