Linux firewall, iptables has the capability to log network activity to the syslog system. This is very useful to detect problems as well as to generate reports of network activity.

Enable LOG module

LOG is not a iptables build in target, it's an extension module. To enable iptables logging, your kernel has to be confired with CONFIG_IP_NF_TARGET_LOG enabled. When this option is set for a rule, the Linux kernel will print some information on all matching packets via the kernel log, which is syslog.

Here is one example:

iptables -A INPUT -s -j LOG --log-prefix ‘** DROP-this_ip **’

iptables -A INPUT -s -j DROP

Firewall rules are checked in a sequential manner. So first all packets from are loggeds, then the second rule drops the connection.


--log-prefix ‘** DROP-this_ip **’: This is log prefix to dropped rule. Useful to search using grep command:
# grep ‘** DROP-this_ip **’ /var/log/messages

Other options

LOG module supports other options, read man page of iptables for more information.

More options:

--log-ip-options         Include the IP options in the log entries
--log-level <level>    Log with the specified level, devault is warning
--log-prefix prefix      Prefix log entries with prefix
--log-tcp-options       Include the TCP options in the log entries
--log-tcp-sequence    Include the TCP sequence numbers in the log entries

You may ask,  will the log file get filled up too quickly? By adding limit match into LOG rule, we can resolve this problem.

In above case, we add

-m limit --limit 5/m --limit-burst 7/m

The packet matching will stop when a packet rate limit is exceeded

--limit         The number of packets to let through per unit of time, default is 3/hour
--limit-burst Set the count of packets that will be matched in a single 'burst' default is 5.

let's say in this way:
In the first unit time(1 minute for the case above), only 5 packet can get matched.
In following unit time, if there are constantly matched packets coming, 5 packets / minute.
In any given unit time, if no matched packets in the previous unit time, then 7 packets can be matched for this unit time.

Note: limit match is available only if your kernel has een configured with CONFIG_IP_NF_MATCH_LIMIT enabled.

LOG levels

You can also specify log leveles


iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP

Here is the list of log levels defined in syslog

Level    name               Description
  0      emerg or panic     Something is incredibly wrong; the system is probably about to crash
  1      alert              Immediate attention is required
  2      crit               Critical hardware or software failure
  3      error              Usually used for reporting of hardware problems by drivers
  4      warning            Something isn't right, but the problem is not serious
  5      notice             No problems; indicates an advisory of some sort.
  6      info               General information
  7      debug             Deguging





Comments powered by CComment