No Account Yet?

You are not logged in.
Add to: JBookmarks Add to: Facebook Add to: Windows Live Add to: Digg Add to: Del.icoi.us Add to: Reddit Add to: StumbleUpon Add to: Slashdot Add to: Netscape Add to: Furl Add to: Yahoo Add to: Blogmarks Add to: Technorati Add to: Newsvine Add to: Google Information
How to log in IPTABLES E-mail
Linux HowTo's - Linux Networking HowTo's
Written by Allen Sanabria   
Sunday, 10 February 2008 18:45

Welcome again to LinuxDynasty.org. In this quick how to, we are going to show you how to get iptables to log when it drops packets.

    1. In the previous tutorial SSH BLOCKING HOW TO we showed you how to drop those pesky ssh attacks, well int his tutorial we are going to show you how to log those attacks. If you have not read the previous tutorial, then please read it now as I am not going to reexplain the options I used for blocking ssh attacks
    • Before we get into the iptables rules, lets make sure that what we are doing is going to log. First lets open up "/etc/syslog.conf" and add this entry


      kern.*                          /var/log/firewall.log
    • Now restart your syslog daemon.. "/etc/init.d/syslog restart" (This is ofcourse assuming you are using Fedora or any other redhat base linux)
    • iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh_attempt --rsource -j LOG --log-prefix "SSH connection attempt: "
    • As you can see this "-j LOG --log-prefix "SSH connection attempt: "" was appended to our previous SSH BLOCKING HOW TO. This is essentially logging all ssh attempts.
    • "-j LOG" This means to jump to the LOG chain in iptables.
    • "--log-prefix "SSH connection attempt: "" This is labeling the log with SSH connection attempt: ".
    2. That was basic logging, now we will get into some more options in logging.
    • Now lets say you want your logging to be more verbose. In iptables we can fix that by adding this entry in the rule.. --log-level 7. This is the highest level of logging (DEBUG LEVEL).
    • Now what if you logs are getting saturated by the second and overwhelming your processor? Well we can add limits also. Here is an example -m limit --limit 2/second --limit-burst 5. This will limit the logging to 2 entries per second and a max of 5 packets per second.
    3. So if we put it all together it would look like this..
    • iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh_attempt --rsource -j LOG --log-level 7 -m limit --limit 2/second --limit-burst 5 --log-prefix "SSH connection attempt: "

There are a few more options that we can discuss on logging. If anybody wants to see them just leave a comment. If you liked the tutorial also please leave a comment. I will be adding a ULOG howto in the next day or so, which is my preferred way to log in iptables.

Comments
Search RSS
Only registered users can write comments!

3.22 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev
Last Updated ( Wednesday, 14 May 2008 11:52 )