IPTables: How to log and set a specific log file

Question

Is it possible log all dropped connections by IPTables and set a iptables.log file for logging in /var/log/?

score 9 · Accepted Answer · answered Jan 29 '16 at 18:09

9

You can do this my configuring iptables to 'mark' the messages e.g.

iptables -A INPUT -s 192.0.2.0/24 -j LOG --log-prefix='[iptables] '

Which will cause a log message that is prefixed with the text [iptables]

Now you can configure your rsyslog to send these messages to a particular log file by adding a suitable entry to it's configuration e.g.

:msg,contains,"[iptables] " /var/log/iptables.log

answered Jan 29 '16 at 18:09

user9517

This will cause messages to go to both syslog and iptables.log. To prevent them from going to syslog, add another line :msg,contains "[iptables] " ~ (that's a tilde). I added these rules to /etc/rsyslog.d/10-iptables.conf. Also, /var/log/iptables.log must exist and be chown'd to syslog:adm. – Curt Jul 13 '23 at 02:22

score 0 · Answer 2 · answered Jan 29 '16 at 16:43

0

there is a way to log packets in IPTables. first you need to create new chain to logging packets.

iptables -N LOGGING

then you need to append which packets you are gonna log using following commands.

iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING

now you can log the packets to the syslogs using this.

iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

finally this command.

iptables -A LOGGING -j DROP

please add this new lines to bottom of your IPTables files.

answered Jan 29 '16 at 16:43

Shyamin Ayesh

But where will it be logged? Where can I find the log file? – Jan 29 '16 at 16:44
They are logged in kern.log by default. but you can change this in your syslog server configuration. – Dom Jan 29 '16 at 19:24

2 Answers2