[Dshield] Enabling iptables logs

Stephen Boulet stephen at theboulets.net
Sat Dec 6 18:24:39 GMT 2003

Thanks for the detailed response. I get this message when trying to start 
logging as you suggest:

iptables v1.2.9: Unknown arg `--log-tcp-options'
Try `iptables -h' or 'iptables --help' for more information.


On Thursday 04 December 2003 03:37 pm, Johannes B. Ullrich wrote:
> On Thu, 2003-12-04 at 15:59, stephen wrote:
> > Hello everyone. I'm new to the list. I have cobbled together my own
> > iptables rule set. Is there a recommended way to set up iptable logging?
> Well, it all 'depends'. I prefer to log all dropped/rejected packets.
> But then again, I think its cool to run DShield and collect firewall
> logs by the millions.
> Here a quick generic intro. If you have a specific iptables script
> already, post it here so people can add their comments.
> iptables allows to specify 'LOG' as a target, similar to 'ACCEPT',
> 'REJECT' and 'DENY'.
> A regular iptables setup looks something like this. I use the 'INPUT'
> chain for illustration. Apply this to your other chains as it may
> fit.
> # our default policy is 'DROP'
> iptables -P INPUT DROP
> # then we have a number of rules that accept certain packets
> # we like
> iptables -A INPUT ... -j ACCEPT
> ....
> # everything that made it past the 'ACCEPT' rules, will be
> # dropped by our policy. So we just have to log them now.
> iptables -A INPUT --log-tcp-options --log-ip-options --log-level warning
> --log-prefix " INPUT_CHAIN_DEFAULT " -j LOG
> A bit more about this statement. The end '-j LOG' specifies that this
> statement pertains to logging. ('target'='LOG'). Understand that this
> will just log. You still have to 'DROP' or 'REJECT' the packet. If you
> want, you can log accepted packets as well. But you have to do so before
> the respective 'accept' rule.
> The logs will end up in /var/log/messages in most cases (depends on your
> syslog.conf setup).
> --log-tcp-options and --log-ip-options will add more detail to your
> logs. '--log-level' can be used to send different logs into different
> files.
> The '--log-prefix' message will allow you to add a prefix to make it
> easier to identify different packets depending on which 'log' line
> matched.
> Quick summary:
> - REJECT/DROP/ACCEPT does not cause any logging by itself.
> - LOG is the target used to send messages to syslog
> - typically, the messages end up in /var/log/messages
> - log dropped/rejected packets.
> > At the moment I only have logging for apache2 ...
> >
> > Thanks.
> >
> > _________
> > Stephen
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list

              From here to there
             and there to here,
           funny things are everywhere.  -- Dr Seuss

More information about the list mailing list