Iptables logging of DRP-ped packages

Iptables logging is a very useful tool to nasty things done to your server.
Possible logging levels :
0 emerg, 1 alert, 2 crit, 3 err, 4 warning, 5 notice, 6 info, 7 debug
I want to log only packages that my server has dropped (DROP), because source addresses are forbidden.

To see what packages are comming from atet server, which I have blocked using iptables :
# tcpdump -vv host 10.10.10.141
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:57:02.447041 IP (tos 0x0, ttl 63, id 58650, offset 0, flags [DF], proto 6, length: 60) mail.kamcatka.net.10.10.10.in-addr.arpa.42324 > mail-2008.moj.domen.ssh: S [tcp sum ok] 453060264:453060264(0) win 5840

If this is not the command that gives you package listing froma host (which could happen), than in tcpdump command add inteface that packages are comming to (this goes for RHEL4U5 and tcpdump-3.8.2-10.RHEL4, so this command would be : # tcpdump -i eth1 host 10.10.10.141)

So how to set up logging for dropped packages? It can not be done using only one command. IP addresses or networks have to be specifically named before the command for dropping them, like this (it is done in file /etc/sysconfig/iptables on server 10.10.10.38) :
*filter
-A INPUT -s 10.10.10.141 -j LOG –log-prefix “iptables-drop: ”
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1298:585557]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.10.10.141/255.255.255.255 -j DROP
…..
This will log DROP-ped packages from 10.10.10.141 in file /var/log/messages, with prefix “iptables-drop”:
Feb 14 08:49:50 mail-2008 kernel: iptables-drop: IN=eth0 OUT= MAC=00:12:52:4b:b4:f3:01:21:a0:ed:01:7c:08:00 SRC=10.10.10.141 DST=10.10.10.38 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46720 DF PROTO=TCP SPT=32845 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

If we want to log dropped packages in a separate file, and not in /var/log/messages (which is a good idea), another line is added in /etc/syslog.conf :
kern.warning /var/log/iptables.log
Restart syslog service :
# service syslog restart

And that is that.

This entry was posted in Linux and tagged , . Bookmark the permalink.

Comments are closed.