I have a policy to drop packets in the input chain
chain input {
type filter hook input priority 0; policy drop;
How can I log just these dropped packets?
Asked
Active
Viewed 1.1k times
6
mauricev
- 71
- 1
- 2
- 4
-
Have you checked http://wiki.nftables.org/wiki-nftables/index.php/Logging_traffic – Valentin Bajrami Mar 15 '19 at 17:14
-
It's not helpful. I need to either log the policy or log everything and then disable logging for the accept rules. – mauricev Mar 15 '19 at 17:59
4 Answers
4
Well, I'm going to guess that you also want to know WHAT kind of packet is being logged at the end of your nftables chain.
Let us assume that you already have a log capture daemon (such as syslogd, rsyslog-ng, or ulogd2) that is already properly configured, daemonized, running, and reading all of your kernel loggings (from /dev/log) that is fed by kernel’s ksyslog() and saving these log messages to a file (such as /var/log/message).
Your default policy is to ACCEPT
If your chain policy is to accept, then append the log keywords to your nftable rule:
table filter {
...
chain input {
type filter hook input priority 0; policy accept;
...
# All my rules go here
# Pick one that suits your needs best
add rule inet filter input tcp dport 22 drop log
add rule inet filter input tcp dport 21 counter drop log prefix my_input_ftp
}
...
}
This will log any attempt at SSH or FTP to your SSH/FTP server then drop the packet.
Your default policy is to DROP
I would add one line at the very end of that chain, example of filter input chain is given below:
table filter {
...
chain input {
type filter hook input priority 0; policy drop;
...
# All my rules go here
...
# Pick one that suits your needs best
counter comment "total unfiltered input packets"
log # simple detail goes into the log
log flags all # extra details go into the log
log flags all prefix "GOTCHA!: " # parseable keyword
log flags all counter # redundant but example
# drop; # this is redundant policy is drop already
}
...
}
John Greene
- 899
- 10
- 30
-
2These log command log everything not just the dropped/denied packets that the post asked about. – John Eikenberry Jul 25 '20 at 01:20
-
1It seems we need ulogd2 [https://wiki.nftables.org/wiki-nftables/index.php/Logging_traffic] for reading wuch logs. In /var/log/messages I have no messages from nftables (Artix Linux) – somenxavier Jul 17 '23 at 21:09
1
This work's for me:
log prefix "[nftables] Inbound Denied: " counter drop
Logs can be found:
/var/log/messages
Hope it helps!
impulsado
- 11
- 2
0
Add 'log flags all log prefix "PREFIX " counter drop' as the last line in the input section of your ruleset. The packets that would normally be dropped by the default input policy drop will be logged and dropped by this ( the last ) rule. Yes it is redundant, however the redundancy is trivial.
0
The rules seem to be acted on in order. Policy is drop; then you have whatever accept rules you need. Now simply having
log
on a line by itself at the end does the trick.
mauricev
- 71
- 1
- 2
- 4