Linux firewall, iptables has the capability to log network activity to the syslog system. This is very useful to detect problems as well as to generate reports of network activity.
Enable LOG module
LOG is not a iptables build in target, it's an extension module. To enable iptables logging, your kernel has to be confired with CONFIG_IP_NF_TARGET_LOG enabled. When this option is set for a rule, the Linux kernel will print some information on all matching packets via the kernel log, which is syslog.
Here is one example:
iptables -A INPUT -s 10.0.10.22 -j LOG --log-prefix ‘** DROP-this_ip **’
iptables -A INPUT -s 10.0.10.22 -j DROP
Firewall rules are checked in a sequential manner. So first all packets from 10.0.10.22 are loggeds, then the second rule drops the connection.
--log-prefix ‘** DROP-this_ip **’: This is log prefix to dropped rule. Useful to search using grep command:
# grep ‘** DROP-this_ip **’ /var/log/messages
LOG module supports other options, read man page of iptables for more information.
--log-ip-options Include the IP options in the log entries
--log-level <level> Log with the specified level, devault is warning
--log-prefix prefix Prefix log entries with prefix
--log-tcp-options Include the TCP options in the log entries
--log-tcp-sequence Include the TCP sequence numbers in the log entries
You may ask, will the log file get filled up too quickly? By adding limit match into LOG rule, we can resolve this problem.
In above case, we add
-m limit --limit 5/m --limit-burst 7/m
The packet matching will stop when a packet rate limit is exceeded
--limit The number of packets to let through per unit of time, default is 3/hour
--limit-burst Set the count of packets that will be matched in a single 'burst' default is 5.
let's say in this way:
In the first unit time(1 minute for the case above), only 5 packet can get matched.
In following unit time, if there are constantly matched packets coming, 5 packets / minute.
In any given unit time, if no matched packets in the previous unit time, then 7 packets can be matched for this unit time.
Note: limit match is available only if your kernel has een configured with CONFIG_IP_NF_MATCH_LIMIT enabled.
You can also specify log leveles
iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP
Here is the list of log levels defined in syslog
Level name Description
0 emerg or panic Something is incredibly wrong; the system is probably about to crash
1 alert Immediate attention is required
2 crit Critical hardware or software failure
3 error Usually used for reporting of hardware problems by drivers
4 warning Something isn't right, but the problem is not serious
5 notice No problems; indicates an advisory of some sort.
6 info General information
7 debug Deguging