How to determine what traffic is being dropped / blocked base on iptables log

Question

I have followed the example for iptable logging from https://help.ubuntu.com/community/IptablesHowTo#More_detailed_Logging

sudo iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

I get log entries like below

Oct 20 03:45:50 hostname kernel: iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=x.x.x.x DST=x.x.x.x LEN=1059 TOS=0x00 PREC=0x00 TTL=115 ID=31368 DF PROTO=TCP SPT=17992 DPT=80 WINDOW=16477 RES=0x00 ACK PSH URGP=0 
Oct 20 03:46:02 hostname kernel: iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=x.x.x.x DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=763 DF PROTO=TCP SPT=20229 DPT=22 WINDOW=15588 RES=0x00 ACK URGP=0 
Oct 20 03:46:14 hostname kernel: iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=x.x.x.x DST=x.x.x.x LEN=324 TOS=0x00 PREC=0x00 TTL=49 ID=64245 PROTO=TCP SPT=47237 DPT=80 WINDOW=470 RES=0x00 ACK PSH URGP=0 
Oct 20 03:46:26 hostname kernel: iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=x.x.x.x DST=x.x.x.x LEN=52 TOS=0x00 PREC=0x00 TTL=45 ID=2010 PROTO=TCP SPT=48322 DPT=80 WINDOW=380 RES=0x00 ACK URGP=0 

Similar log above appears every 2 - 3 seconds seems like there is a lot of traffic being blocked. But my question is how do I determine what sort of traffic is being blocked or dropped base on the log entries above?

Is DPT means destination port? so DPT=22 means SSH access is blocked? and DPT=80 means HTTP traffic is blocked?

My iptables are mainly default values, except I have added a few additional rules

-A INPUT -s z.z.z.z/32 -j DROP
-A INPUT -s y.y.y.y/32 -j DROP
-A INPUT -s a.a.a.a/32 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

None of the SRC ip in the log files are from the iptables that is specifically configured to drop all traffic, and yet the log files showing different ip address with DPT=80, DPT=22 being dropped.

Is there something wrong with my config?

Answer 1

Here are your rules again:

-A INPUT -s z.z.z.z/32 -j DROP
-A INPUT -s y.y.y.y/32 -j DROP
-A INPUT -s a.a.a.a/32 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

The first will will silently drop any packet matching it. As will the second and third. By the time you hit the "limit" rule, you have already dropped all packets matching those source IP addresses. You now have the rest of the traffic. For this rest of the traffic, you will log five packets per minute. You will misleadingly log them as denied when they are not actually denied.

If, instead, you want to log and drop packets matching any one of several source IP addresses, the easiest way to do this is to create a new chain that will log and drop. e.g.:

iptables -N LOG_AND_DROP
iptables -A LOG_AND_DROP -j LOG --log-prefix "Source host denied "
iptables -A LOG_AND_DROP -j DROP

Now that you have this chain, you want to direct traffic to log and drop to it:

iptables -A INPUT -s z.z.z.z/32 -j LOG_AND_DROP
iptables -A INPUT -s y.y.y.y/32 -j LOG_AND_DROP
iptables -A INPUT -s a.a.a.a/32 -j LOG_AND_DROP

This will take any packet matching those source addresses and send it to the LOG_AND_DROP chain. This chain, as it is named, first logs every single packet and then drops it. If you prefer, you can rate limit the logging and then drop it. Up to you, and depends on how much traffic we're talking about.

Note: Make sure you flush existing rules before adding the above rules. Otherwise you'll still have the misleading rule in there that is logging but not denying.