Difference between revisions of "Firewall log dropped"

(Created page with "Category:Linux This explains how to log dropped packets. This is a summary of both excellent articles: * "The geek stuff" - http://www.thegeekstuff.com/2012/08/iptables-...")
 
 
(3 intermediate revisions by the same user not shown)
Line 16: Line 16:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
IPTABLES=`which iptables`
+
iptables -N LOGGING
 
+
iptables -A INPUT -j LOGGING
$IPTABLES -N LOGGING
+
iptables -A OUTPUT -j LOGGING
$IPTABLES -A INPUT -j LOGGING
+
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables - dropped: " --log-level 4
$IPTABLES -A OUTPUT -j LOGGING
+
iptables -A LOGGING -j DROP
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables - dropped: " --log-level 4
 
$IPTABLES -A LOGGING -j DROP
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 51: Line 49:
 
|-
 
|-
 
| OUT=em1 || Interface that was used for outgoing packets. This will be empty for incoming packets.
 
| OUT=em1 || Interface that was used for outgoing packets. This will be empty for incoming packets.
 +
|-
 +
| MAC= || MAC settings. Example: ''00:1c:f0:65:bd:78:00:1d:70:47:f0:b0:08:00
 +
* ''00:1c:f0:65:bd:78'' - Destination MAC
 +
* ''00:1d:70:47:f0:b0'' - Source MAC (usually your router)
 +
* ''08:00'' - Payload type (ETHTYPE)
 
|-
 
|-
 
| SRC= || Source IP @ = from where the packet originated
 
| SRC= || Source IP @ = from where the packet originated
Line 57: Line 60:
 
|-
 
|-
 
| LEN= || Length of the packet
 
| LEN= || Length of the packet
 +
|-
 +
| TOS= || TOS field of the IP packet. Unused on most networks, so anything but 0 would be strange.
 +
|-
 +
| PREC= || Precedence. It's also a routing optimization thing.
 +
|-
 +
| TTL= || Time to live (hop count of the package)
 +
|-
 +
| ID || Packet ID number
 +
|-
 +
| DF | CE | MF || Some packet information.
 +
* ''DF'' = Don't fragment bit
 +
* ''CE'' = Congestion experienced
 +
* ''MF'' = More fragments, indicating that this packet is part of a fragmented packet.
 
|-
 
|-
 
| PROTO= || Protocol
 
| PROTO= || Protocol
Line 63: Line 79:
 
|-
 
|-
 
| DPT= || destination port
 
| DPT= || destination port
 +
|-
 +
| WINDOW= || related to the TCP windowing algorithm.
 +
|-
 +
| RES= ||
 +
|-
 +
| < flag(s) > || UDP / TCP flag(s) - if any. Examples: ACK, PSH, FIN
 +
|-
 +
| URGP= || Urgent flag. TCP may transport 'urgent' (out of band) data
 +
|-
 
|}
 
|}
  

Latest revision as of 14:32, 19 November 2014


This explains how to log dropped packets. This is a summary of both excellent articles:


IpTables logs

Log all dropped packages

Edit your iptables script, add the following part at the end:

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables - dropped: " --log-level 4
iptables -A LOGGING -j DROP


Log specific events

You can log specific events in an INPUT, OUTPUT or FORWARD chain.


SSH events

IPTABLES=`which iptables`

$IPTABLES -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "iptables - ssh: "


Log format

This how you can read an IpTable log:

Field Explanation
IN=em1 Interface that was used for this incoming packets. This will be empty for outgoing packets
OUT=em1 Interface that was used for outgoing packets. This will be empty for incoming packets.
MAC= MAC settings. Example: 00:1c:f0:65:bd:78:00:1d:70:47:f0:b0:08:00
  • 00:1c:f0:65:bd:78 - Destination MAC
  • 00:1d:70:47:f0:b0 - Source MAC (usually your router)
  • 08:00 - Payload type (ETHTYPE)
SRC= Source IP @ = from where the packet originated
DST= Destination IP @ = where the packets was sent to
LEN= Length of the packet
TOS= TOS field of the IP packet. Unused on most networks, so anything but 0 would be strange.
PREC= Precedence. It's also a routing optimization thing.
TTL= Time to live (hop count of the package)
ID Packet ID number
CE | MF Some packet information.
  • DF = Don't fragment bit
  • CE = Congestion experienced
  • MF = More fragments, indicating that this packet is part of a fragmented packet.
PROTO= Protocol
SPT= Source port
DPT= destination port
WINDOW= related to the TCP windowing algorithm.
RES=
< flag(s) > UDP / TCP flag(s) - if any. Examples: ACK, PSH, FIN
URGP= Urgent flag. TCP may transport 'urgent' (out of band) data



Log file

First, we need to say that IPTABLES will log into a dedicated file.


Install rsyslog:

apt-get install -y rsyslog


Create log file and set rights

touch /var/log/iptables.log
chmod 777 /var/log/iptables.log


Create log configuration:

vim /etc/rsyslog.d/10-iptables.conf


Put the following configuration:

:msg, contains, "iptables - " -/var/log/iptables.log
& ~
  • 1st line checks the log data for the word “iptables: ” and appends it into the "/var/log/iptables.log" file
  • 2nd line simply halts the processing of the log information, so that it doesn't get logged into "/var/log/messages" or "/var/log/syslog" as well as the "/var/log/iptables.log" file.


Restart rsyslog:

service rsyslog restart


!! That's all !! :-)

Logs should be appearing in /var/log/iptables.log


You can verify this by tailing the log file:

$ tail -f /var/log/iptables.log

Try and connect to SSH from another machine, and you should see a log entry get created, and appear on the screen automatically.

Eg:

$ tail -f /var/log/iptables.log Feb 20 23:27:11 ubuntu kernel: [1988916.899165] iptables: IN=eth0 OUT= MAC=00:00:00:00:00:00:00: 00:00:00:00:00:00:00 SRC=192.168.0.3 DST=192.168.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30541 DF PROTO=TCP SPT=60148 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0