1

I'm trying to log when IPTables drops connections mostly for analysis. Problem is, my log seems to be written to... nowhere.

By this time I know that iptables logs through kern facility and for this, everything should be written to /var/log/kern.log.

This is the head of my /etc/syslog.conf

#  /etc/syslog.conf     Configuration file for syslogd.
#
#                       For more information see syslog.conf(5)
#                       manpage.

#
# First some standard logfiles.  Log by facility.
#

auth,authpriv.*          -/var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                  -/var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  10.97.110.0/24       0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 flags:0x17/0x02 limit: avg 6/hour burst 2
LOGDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 flags:0x17/0x02
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:1194
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1194 flags:0x17/0x02 limit: avg 12/hour burst 4
LOGDROP    tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1194 flags:0x17/0x02

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain LOGDROP (2 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `iptables drop: '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

After a few connections to Port 22 the connection is correctly dropped and I receive a timeout. But still, there's no log anywhere. At least not in places I have been looking so far. Can you please tell me what's wrong there?

cat /proc/version

Linux version 2.6.32-028stab092.1 (root@rhel5-build-x64) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Wed Jul 20 19:47:12 MSD 2011
annih
  • 121
  • 3
  • 1
    If you use `iptables -L -nv` you will also get counts for how many times each rule has been hit. That may help. Have you looked in `/var/log/messages`? – Ladadadada Mar 03 '13 at 08:58
  • @Ladadadada I have checked /var/log/messages. Not there either, although syslog.conf contains the appropriate entry as well. Packet count says it get's hit - went from 81 to 83 for my LOGDROP chain when I got timed out. – annih Mar 03 '13 at 13:09
  • Could you first try to add logging rule somewhere at your iptables rules, so that it will capture everything, not only ssh, to see if logging of iptables works in general? E.g., '-A OUTPUT -j LOG --log-prefix "IPTABLES: "'. However, be careful, it could produce a huge amount of logs and disbalance your system. – Andrey Sapegin Feb 02 '14 at 19:51
  • I could be mistaken, but are you ACCEPTing right before the LOGDROP? – CrackerJack9 May 20 '14 at 23:23
  • I am, but only in certain cases and then the chain ends. The logdrop happen if the IP is unknown and the connect or burst limit is execeeded. – annih Jun 02 '14 at 13:30

0 Answers0