[Dshield] Enabling iptables logs

Johannes B. Ullrich jullrich at sans.org
Thu Dec 4 21:37:32 GMT 2003


On Thu, 2003-12-04 at 15:59, stephen wrote:
> Hello everyone. I'm new to the list. I have cobbled together my own iptables
> rule set. Is there a recommended way to set up iptable logging?

Well, it all 'depends'. I prefer to log all dropped/rejected packets.
But then again, I think its cool to run DShield and collect firewall
logs by the millions.

Here a quick generic intro. If you have a specific iptables script
already, post it here so people can add their comments.


iptables allows to specify 'LOG' as a target, similar to 'ACCEPT',
'REJECT' and 'DENY'.

A regular iptables setup looks something like this. I use the 'INPUT'
chain for illustration. Apply this to your other chains as it may
fit.

# our default policy is 'DROP'
iptables -P INPUT DROP
# then we have a number of rules that accept certain packets
# we like
iptables -A INPUT ... -j ACCEPT
....
# everything that made it past the 'ACCEPT' rules, will be 
# dropped by our policy. So we just have to log them now.

iptables -A INPUT --log-tcp-options --log-ip-options --log-level warning
--log-prefix " INPUT_CHAIN_DEFAULT " -j LOG

A bit more about this statement. The end '-j LOG' specifies that this
statement pertains to logging. ('target'='LOG'). Understand that this
will just log. You still have to 'DROP' or 'REJECT' the packet. If you
want, you can log accepted packets as well. But you have to do so before
the respective 'accept' rule.

The logs will end up in /var/log/messages in most cases (depends on your
syslog.conf setup). 

--log-tcp-options and --log-ip-options will add more detail to your
logs. '--log-level' can be used to send different logs into different
files.

The '--log-prefix' message will allow you to add a prefix to make it
easier to identify different packets depending on which 'log' line
matched.

Quick summary:
- REJECT/DROP/ACCEPT does not cause any logging by itself.
- LOG is the target used to send messages to syslog
- typically, the messages end up in /var/log/messages
- log dropped/rejected packets.





> 
> At the moment I only have logging for apache2 ...
> 
> Thanks.
> 
> _________
> Stephen
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031204/537e7902/attachment.bin


More information about the list mailing list