Difference between revisions of "Firewall log dropped"
(Created page with "Category:Linux This explains how to log dropped packets. This is a summary of both excellent articles: * "The geek stuff" - http://www.thegeekstuff.com/2012/08/iptables-...") |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 16: | Line 16: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | + | iptables -N LOGGING | |
− | + | iptables -A INPUT -j LOGGING | |
− | + | iptables -A OUTPUT -j LOGGING | |
− | + | iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables - dropped: " --log-level 4 | |
− | + | iptables -A LOGGING -j DROP | |
− | |||
− | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 51: | Line 49: | ||
|- | |- | ||
| OUT=em1 || Interface that was used for outgoing packets. This will be empty for incoming packets. | | OUT=em1 || Interface that was used for outgoing packets. This will be empty for incoming packets. | ||
+ | |- | ||
+ | | MAC= || MAC settings. Example: ''00:1c:f0:65:bd:78:00:1d:70:47:f0:b0:08:00 | ||
+ | * ''00:1c:f0:65:bd:78'' - Destination MAC | ||
+ | * ''00:1d:70:47:f0:b0'' - Source MAC (usually your router) | ||
+ | * ''08:00'' - Payload type (ETHTYPE) | ||
|- | |- | ||
| SRC= || Source IP @ = from where the packet originated | | SRC= || Source IP @ = from where the packet originated | ||
Line 57: | Line 60: | ||
|- | |- | ||
| LEN= || Length of the packet | | LEN= || Length of the packet | ||
+ | |- | ||
+ | | TOS= || TOS field of the IP packet. Unused on most networks, so anything but 0 would be strange. | ||
+ | |- | ||
+ | | PREC= || Precedence. It's also a routing optimization thing. | ||
+ | |- | ||
+ | | TTL= || Time to live (hop count of the package) | ||
+ | |- | ||
+ | | ID || Packet ID number | ||
+ | |- | ||
+ | | DF | CE | MF || Some packet information. | ||
+ | * ''DF'' = Don't fragment bit | ||
+ | * ''CE'' = Congestion experienced | ||
+ | * ''MF'' = More fragments, indicating that this packet is part of a fragmented packet. | ||
|- | |- | ||
| PROTO= || Protocol | | PROTO= || Protocol | ||
Line 63: | Line 79: | ||
|- | |- | ||
| DPT= || destination port | | DPT= || destination port | ||
+ | |- | ||
+ | | WINDOW= || related to the TCP windowing algorithm. | ||
+ | |- | ||
+ | | RES= || | ||
+ | |- | ||
+ | | < flag(s) > || UDP / TCP flag(s) - if any. Examples: ACK, PSH, FIN | ||
+ | |- | ||
+ | | URGP= || Urgent flag. TCP may transport 'urgent' (out of band) data | ||
+ | |- | ||
|} | |} | ||
Latest revision as of 14:32, 19 November 2014
This explains how to log dropped packets. This is a summary of both excellent articles:
- "The geek stuff" - http://www.thegeekstuff.com/2012/08/iptables-log-packets/
- "Networking howtos" - http://www.networkinghowtos.com/howto/change-the-iptables-log-file/
Contents
IpTables logs
Log all dropped packages
Edit your iptables script, add the following part at the end:
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables - dropped: " --log-level 4
iptables -A LOGGING -j DROP
Log specific events
You can log specific events in an INPUT, OUTPUT or FORWARD chain.
SSH events
IPTABLES=`which iptables`
$IPTABLES -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "iptables - ssh: "
Log format
This how you can read an IpTable log:
Field | Explanation |
---|---|
IN=em1 | Interface that was used for this incoming packets. This will be empty for outgoing packets |
OUT=em1 | Interface that was used for outgoing packets. This will be empty for incoming packets. |
MAC= | MAC settings. Example: 00:1c:f0:65:bd:78:00:1d:70:47:f0:b0:08:00
|
SRC= | Source IP @ = from where the packet originated |
DST= | Destination IP @ = where the packets was sent to |
LEN= | Length of the packet |
TOS= | TOS field of the IP packet. Unused on most networks, so anything but 0 would be strange. |
PREC= | Precedence. It's also a routing optimization thing. |
TTL= | Time to live (hop count of the package) |
ID | Packet ID number |
CE | MF | Some packet information.
|
PROTO= | Protocol |
SPT= | Source port |
DPT= | destination port |
WINDOW= | related to the TCP windowing algorithm. |
RES= | |
< flag(s) > | UDP / TCP flag(s) - if any. Examples: ACK, PSH, FIN |
URGP= | Urgent flag. TCP may transport 'urgent' (out of band) data |
Log file
First, we need to say that IPTABLES will log into a dedicated file.
Install rsyslog:
apt-get install -y rsyslog
Create log file and set rights
touch /var/log/iptables.log
chmod 777 /var/log/iptables.log
Create log configuration:
vim /etc/rsyslog.d/10-iptables.conf
Put the following configuration:
:msg, contains, "iptables - " -/var/log/iptables.log
& ~
- 1st line checks the log data for the word “iptables: ” and appends it into the "/var/log/iptables.log" file
- 2nd line simply halts the processing of the log information, so that it doesn't get logged into "/var/log/messages" or "/var/log/syslog" as well as the "/var/log/iptables.log" file.
Restart rsyslog:
service rsyslog restart
!! That's all !! :-)
Logs should be appearing in /var/log/iptables.log
You can verify this by tailing the log file:
$ tail -f /var/log/iptables.log
Try and connect to SSH from another machine, and you should see a log entry get created, and appear on the screen automatically.
Eg:
$ tail -f /var/log/iptables.log Feb 20 23:27:11 ubuntu kernel: [1988916.899165] iptables: IN=eth0 OUT= MAC=00:00:00:00:00:00:00: 00:00:00:00:00:00:00 SRC=192.168.0.3 DST=192.168.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30541 DF PROTO=TCP SPT=60148 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0