Networking / Beginners

Configuring iptables Logging

You have tested your firewall scripts and everything works, and you understand what all the rules do, and are confident of your firewall-editing skills. Now you want to know how to configure some logfiles to help with debugging and monitoring.

iptables has a built-in logging target that is applied to individual rules. By default, iptables messages are dumped into /var/log/kern.log. An easy way to see this in action is to log one of the ICMP rules:

$ipt -A INPUT -p icmp --icmp-type echo-request -j LOG \
--log-level info --log-prefix "ping "
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Ping the host a few times, then read /var/log/kern.log, or follow along with the tail command:

$ tail -f /var/log/kern.log
Oct 3 17:36:35 xena kernel: [17213514.504000]ping IN=eth1 OUT= MAC=00:03:6d:00:83:
cf:00:0a:e4:40:8b:fd:08:00 SRC=192.168.1.12 DST=192.168.1.10 LEN=60 TOS=0x00
PREC=0x00 TTL=128 ID=4628 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=1280

Oct 3 17:36:36 xena kernel: [17213515.500000] ping IN=eth1 OUT= MAC=00:03:6d:00:83:
cf:00:0a:e4:40:8b:fd:08:00 SRC=192.168.1.12 DST=192.168.1.10 LEN=60 TOS=0x00
PREC=0x00 TTL=128 ID=4629 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=1536

If you create only one rule with a log target, the packets will be logged and dropped, which is a safe way to test a new rule. To shoo the packets along to their final destination, create a second rule. The log target takes all the standard syslog levels: debug, info, notice, warning, err, crit, alert, and emerg.

iptables uses Linux's built-in syslog, which is pretty limited. The log target's --log-prefix is one way to make kern.log more parsable. A better way is to use syslog-ng, which is more configurable, and has built-in networking support, so it makes an excellent logging server.

Adding these lines to /etc/syslog-ng/syslog-ng.conf directs all iptables log messages to /var/log/iptables.log. Note the match on "IPT="; this is what tells syslog-ng which messages to put in /var/log/iptables.log. So, you will need to include IPT in all of your --log-prefix options:

destination iptables { file("/var/log/iptables.log"); };
filter f_iptables { match("IPT="); };
log { source(src); filter(f_iptables); destination(iptables); };
[Previous] [Contents] [Next]

In this tutorial:

  1. Building a Linux Firewall
  2. Iptables and NAT, SNAT, and DNAT
  3. iptables
  4. Assembling a Linux Firewall Box
  5. Configuring Network Interface Cards on Debian
  6. Configuring Network Interface Cards on Fedora
  7. Identifying Which NIC Is Which
  8. Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
  9. Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
  10. Displaying the Status of Your Firewall
  11. Turning an iptables Firewall Off
  12. Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
  13. Testing Your Firewall
  14. Configuring the Firewall for Remote SSH Administration
  15. Allowing Remote SSH Through a NAT Firewall
  16. Multiple SSH Host Keys Past NAT
  17. Running Public Services on Private IP Addresses
  18. Setting Up a Single-Host Firewall
  19. Setting Up a Server Firewall
  20. Configuring iptables Logging
  21. Writing Egress Rules