2.23. Logging Simplified

Problem

You want your firewall to log and drop certain packets.

Solution

For iptables , create a new rule chain that logs and drops in sequence:

# iptables -N LOG_DROP
# iptables -A LOG_DROP -j LOG --log-level warning --log-prefix "dropped" -m limit
# iptables -A LOG_DROP -j DROP

Then use it as a target in any relevant rules:

# iptables ...specification... -j LOG_DROP

For ipchains :

# ipchains ...specification... -l -j DROP

Discussion

iptables’s LOG target causes the kernel to log packets that match your given specification. The —log-level option sets the syslog level [Recipe 9.27] for these log messages and —log-prefix adds an identifiable string to the log entries. The further options —log-prefix, —log-tcp-sequence, —log-tcp-options, and —log-ip-options affect the information written to the log; see iptables(8).

LOG is usually combined with the limit module (-m limit) to limit the number of redundant log entries made per time period, to prevent flooding your logs. You can accept the defaults (3 per hour, in bursts of at most 5 entries) or tailor them with —limit and —limit-burst, respectively.

ipchains has much simpler logging: just add the -l option to the relevant rules.

See Also

iptables(8), ipchains(8).

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.