1

There are many ways to log traffic for a web server. For example, if I want to log all incoming traffic, I can place the following line as the first rule appended to the INPUT chain:

-A INPUT -j LOG --log-prefix "IPTABLES: " --log-level info

If I want to log all new connections, I can place the above rule after this rule:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Or if I want to log dropped connections, I can place the logging rule after accept rules and just before the drop rule, such as:

-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTABLES: " --log-level info
-A INPUT -j DROP

I find many of the example configurations found online log only some specific dropped connections, such as malformed packets or unwanted connections to SSH. If the connections have already been dropped specifically due to requirement, why do people still want to keep a log for it? Wouldn't logging all incoming connections (rate limited) be more useful than logging unwanted traffic?

Add Comment: I want to emphasize that I am asking this question with the purpose of network troubleshooting in mind.

Question Overflow
  • 2,103
  • 7
  • 30
  • 45
  • This seems like it may be better served on security.stackexchange.com. Having said that it also seems somewhat non constructive as each business will make it's own decisions based on it's own requirements and the regulatory regime within which it operates. – user9517 Jan 08 '13 at 08:18
  • @lain, thanks for your comment. I thought the purpose of logging with iptables is more for network troubleshooting, which includes security issues of course. As for logging for business requirement, I feel that apache would be better suited for the job. Having said that, if you feel this is more appropriate for security exchange, feel free to migrate it. Thanks :) – Question Overflow Jan 08 '13 at 08:49
  • Also check legal requirements. – TomTom Jan 08 '13 at 09:02
  • Are you doing this because you have a specific network problem or are you just doing it in case of ? – user9517 Jan 08 '13 at 10:05
  • @lain, no, I don't have any specific problem. If there is a problem, example, users complaining of web page hang during file upload or slow connection during certain times of the day etc, I would be able to troubleshoot the problem immediately with the firewall log data after ruling out server or application problem. If no logging is done, then how would such issues be resolved? – Question Overflow Jan 09 '13 at 03:18
  • If you have a problem with the web server, the web server's logs are much more likely to be useful than the firewall logs. – Michael Hampton Jan 09 '13 at 03:38

0 Answers0