IPtables Logging for services

Question

I am logging all incoming and outgoing IP connections and ports to my Linux server with IPtables LOG. Now, I wish to log the services to which these IPs connects in server.

Example, if the connection is to port 80, then log service name as httpd. Is it possible with IPtables logging? Below is the rules I am using right now.:

-A INPUT -j LOG --log-prefix "IPs INCOMING"
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s x.x.x.x/8 -j ACCEPT
-A INPUT -s x.x.x.x/12 -j ACCEPT
-A INPUT -s x.x.x.x/16 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "IPs OUTGOING"

You probably want to add something like `-m state --state NEW` to your log lines otherwise you're going to log every packet for a given connection which will fill your logs quickly — bodgit, Apr 10 '18 at 09:30

score 1 · Answer 1 · answered Apr 10 '18 at 09:34

1

You could do it with something like this:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j LOG --log-prefix "HTTP connection"

This would be needed to be inserted before any matching -j ACCEPT rule.

AFAIK there isn't a way to have a generic log line which resolves the service name from the port for the purposes of setting the log prefix; that also wouldn't work if you had for example, HTTP listening on any port other than 80 or 443.

answered Apr 10 '18 at 09:34

bodgit

4,751
16
27

`state` is deprecated; modern Linux systems should use `-m conntrack --ctstate WHATEVER`. – Michael Hampton Apr 10 '18 at 16:47

IPtables Logging for services

1 Answers1