[Dshield] Enabling iptables logs
Johannes B. Ullrich
jullrich at sans.org
Thu Dec 4 21:37:32 GMT 2003
On Thu, 2003-12-04 at 15:59, stephen wrote:
> Hello everyone. I'm new to the list. I have cobbled together my own iptables
> rule set. Is there a recommended way to set up iptable logging?
Well, it all 'depends'. I prefer to log all dropped/rejected packets.
But then again, I think its cool to run DShield and collect firewall
logs by the millions.
Here a quick generic intro. If you have a specific iptables script
already, post it here so people can add their comments.
iptables allows to specify 'LOG' as a target, similar to 'ACCEPT',
'REJECT' and 'DENY'.
A regular iptables setup looks something like this. I use the 'INPUT'
chain for illustration. Apply this to your other chains as it may
# our default policy is 'DROP'
iptables -P INPUT DROP
# then we have a number of rules that accept certain packets
# we like
iptables -A INPUT ... -j ACCEPT
# everything that made it past the 'ACCEPT' rules, will be
# dropped by our policy. So we just have to log them now.
iptables -A INPUT --log-tcp-options --log-ip-options --log-level warning
--log-prefix " INPUT_CHAIN_DEFAULT " -j LOG
A bit more about this statement. The end '-j LOG' specifies that this
statement pertains to logging. ('target'='LOG'). Understand that this
will just log. You still have to 'DROP' or 'REJECT' the packet. If you
want, you can log accepted packets as well. But you have to do so before
the respective 'accept' rule.
The logs will end up in /var/log/messages in most cases (depends on your
--log-tcp-options and --log-ip-options will add more detail to your
logs. '--log-level' can be used to send different logs into different
The '--log-prefix' message will allow you to add a prefix to make it
easier to identify different packets depending on which 'log' line
- REJECT/DROP/ACCEPT does not cause any logging by itself.
- LOG is the target used to send messages to syslog
- typically, the messages end up in /var/log/messages
- log dropped/rejected packets.
> At the moment I only have logging for apache2 ...
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031204/537e7902/attachment.bin
More information about the list