Networking / Beginners

Configuring iptables Logging

You have tested your firewall scripts and everything works, and you understand what all the rules do, and are confident of your firewall-editing skills. Now you want to know how to configure some logfiles to help with debugging and monitoring.

iptables has a built-in logging target that is applied to individual rules. By default, iptables messages are dumped into /var/log/kern.log. An easy way to see this in action is to log one of the ICMP rules:

$ipt -A INPUT -p icmp --icmp-type echo-request -j LOG \
--log-level info --log-prefix "ping "
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Ping the host a few times, then read /var/log/kern.log, or follow along with the tail command:

$ tail -f /var/log/kern.log
Oct 3 17:36:35 xena kernel: [17213514.504000]ping IN=eth1 OUT= MAC=00:03:6d:00:83:
cf:00:0a:e4:40:8b:fd:08:00 SRC=192.168.1.12 DST=192.168.1.10 LEN=60 TOS=0x00
PREC=0x00 TTL=128 ID=4628 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=1280

Oct 3 17:36:36 xena kernel: [17213515.500000] ping IN=eth1 OUT= MAC=00:03:6d:00:83:
cf:00:0a:e4:40:8b:fd:08:00 SRC=192.168.1.12 DST=192.168.1.10 LEN=60 TOS=0x00
PREC=0x00 TTL=128 ID=4629 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=1536

If you create only one rule with a log target, the packets will be logged and dropped, which is a safe way to test a new rule. To shoo the packets along to their final destination, create a second rule. The log target takes all the standard syslog levels: debug, info, notice, warning, err, crit, alert, and emerg.

iptables uses Linux's built-in syslog, which is pretty limited. The log target's --log-prefix is one way to make kern.log more parsable. A better way is to use syslog-ng, which is more configurable, and has built-in networking support, so it makes an excellent logging server.

Adding these lines to /etc/syslog-ng/syslog-ng.conf directs all iptables log messages to /var/log/iptables.log. Note the match on "IPT="; this is what tells syslog-ng which messages to put in /var/log/iptables.log. So, you will need to include IPT in all of your --log-prefix options:

destination iptables { file("/var/log/iptables.log"); };
filter f_iptables { match("IPT="); };
log { source(src); filter(f_iptables); destination(iptables); };
[Previous] [Contents] [Next]