Iptables logging of DRP-ped packages

Iptables logging is a very useful tool to nasty things done to your server.
Possible logging levels :
0 emerg, 1 alert, 2 crit, 3 err, 4 warning, 5 notice, 6 info, 7 debug
I want to log only packages that my server has dropped (DROP), because source addresses are forbidden.

To see what packages are comming from atet server, which I have blocked using iptables :
# tcpdump -vv host
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:57:02.447041 IP (tos 0x0, ttl 63, id 58650, offset 0, flags [DF], proto 6, length: 60) mail.kamcatka.net.10.10.10.in-addr.arpa.42324 > mail-2008.moj.domen.ssh: S [tcp sum ok] 453060264:453060264(0) win 5840

If this is not the command that gives you package listing froma host (which could happen), than in tcpdump command add inteface that packages are comming to (this goes for RHEL4U5 and tcpdump-3.8.2-10.RHEL4, so this command would be : # tcpdump -i eth1 host

So how to set up logging for dropped packages? It can not be done using only one command. IP addresses or networks have to be specifically named before the command for dropping them, like this (it is done in file /etc/sysconfig/iptables on server :
-A INPUT -s -j LOG –log-prefix “iptables-drop: ”
:OUTPUT ACCEPT [1298:585557]
-A INPUT -i lo -j ACCEPT
This will log DROP-ped packages from in file /var/log/messages, with prefix “iptables-drop”:
Feb 14 08:49:50 mail-2008 kernel: iptables-drop: IN=eth0 OUT= MAC=00:12:52:4b:b4:f3:01:21:a0:ed:01:7c:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46720 DF PROTO=TCP SPT=32845 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

If we want to log dropped packages in a separate file, and not in /var/log/messages (which is a good idea), another line is added in /etc/syslog.conf :
kern.warning /var/log/iptables.log
Restart syslog service :
# service syslog restart

And that is that.

This entry was posted in Linux and tagged , . Bookmark the permalink.

Comments are closed.