2.23. Logging Simplified
Problem
You want your firewall to log and drop certain packets.
Solution
For
iptables
, create a new rule chain that logs
and drops in sequence:
# iptables -N LOG_DROP # iptables -A LOG_DROP -j LOG --log-level warning --log-prefix "dropped" -m limit # iptables -A LOG_DROP -j DROP
Then use it as a target in any relevant rules:
# iptables ...specification...
-j LOG_DROP
For
ipchains
:
# ipchains ...specification...
-l -j DROP
Discussion
iptables’s LOG target causes the kernel to log packets that match your given specification. The —log-level option sets the syslog level [Recipe 9.27] for these log messages and —log-prefix adds an identifiable string to the log entries. The further options —log-prefix, —log-tcp-sequence, —log-tcp-options, and —log-ip-options affect the information written to the log; see iptables(8).
LOG is usually combined with the limit module (-m
limit
) to limit the number of
redundant log entries made per time period, to prevent flooding your
logs. You can accept the defaults (3 per hour, in bursts of at most 5
entries) or tailor them with —limit and
—limit-burst, respectively.
ipchains has much simpler logging: just add the -l option to the relevant rules.
See Also
iptables(8), ipchains(8).
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.