How to Log Dropped Packets from the Linux IPTables Firewall to a Log File

Abstract: This article explains how to log incoming and outgoing dropped firewall packets.

When your IPTables rules are not working as expected, you may need to log the dropped packets for troubleshooting. This article describes how to log incoming and outgoing dropped firewall packets.

Logging All Dropped Incoming Packets

First, we need to understand how to log all dropped IPTables incoming packets to syslog.

If you already have a bunch of IPTables firewall rules, add the following lines at the bottom to log all dropped incoming packets to /var/log/messages.

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

In the example above, it performs the following actions:

  • iptables -N LOGGING: Creates a new chain named LOGGING.

  • iptables -A INPUT -j LOGGING: All remaining incoming packets will jump to the LOGGING chain.

  • The third line: Logs incoming packets to syslog (/var/log/messages). This line is explained in detail below.

  • iptables -A LOGGING -j DROP: Finally, drops all packets that reach the LOGGING chain. This means it actually drops the incoming packets now.

In the third line above, it has the following options for logging dropped packets:

  • -m limit: This uses the limit match module. With it, you can use the –limit option to restrict logging.

  • –limit 2/min: This indicates the maximum average match rate for logging. In this example, it limits logging to 2 per minute for similar packets. You can also specify 2/second, 2/minute, 2/hour, 2/day. This is helpful when you do not want to confuse log messages with repeated messages of the same dropped packet.

  • -j LOG: Indicates that the target of this packet is LOG. That is, write to the log file.

  • –log-prefix “IPTables-Dropped:” allows you to specify any log prefix that will be appended to the log messages written to /var/log/messages.

  • –log-level 4: This is the standard system log level. Four is a warning. You can use numbers in the range of 0 to 7. 0 is emergency, and 7 is debug.

Logging All Dropped Outgoing Packets

This is the same as above, but the second line below has OUTPUT instead of INPUT.

iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

Logging All Dropped Packets (Incoming and Outgoing)

This is the same as before, but we will take the second line from the first two examples and add it here. That is, we will set a separate line for INPUT and OUTPUT that will jump to the LOGGING chain.

To log both incoming and outgoing dropped packets, add the following lines at the bottom of your existing IPTables firewall rules.

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

Additionally, as we explained earlier, by default, IPTables will use /var/log/messages to log all messages. If you want to change this to your own custom log file, add the following line to /etc/syslog.conf.

kern.warning /var/log/custom.log

How to Read IPTables Logs

Here are examples of the lines logged in /var/log/messages when dropping incoming and outgoing packets.

Aug  4 13:22:40 centos kernel: IPTables-Dropped:IN=OUT=em1 SRC=192.168.1.23 DST=192.168.1.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59228 SEQ=2
Aug  4 13:23:00 centos kernel: IPTables-Dropped:IN=em1 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=192.168.2.115 DST=192.168.1.23 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0

In the output above:

  • IPTables-Dropped: This is the prefix we used in logging by specifying the –log-prefix option.

  • IN=em1: This indicates the interface used for this incoming packet. For outgoing packets, this will be empty.

  • OUT=em1: This indicates the interface used for outgoing packets. For incoming packets, this will be empty.

  • SRC= Source IP address from which the packet originated.

  • DST= Destination IP address to which the packet is sent.

  • LEN= Packet length.

  • PROTO= Indicates the protocol (as shown, the first line is the outgoing ICMP protocol, and the second line is the incoming TCP protocol).

  • SPT= Indicates the source port.

  • DPT= Indicates the destination port. In the second line above, the destination port is 443. This indicates that the incoming HTTPS packet was dropped.

Link: https://bbs.huaweicloud.com/blogs/363985

(Copyright belongs to the original author, please delete if infringed)

WeChat Group

WeChat group

How to Log Dropped Packets from the Linux IPTables Firewall to a Log File

To facilitate better communication on operation and maintenance and related technical issues, a WeChat group has been created. Friends who want to join the group can scan the QR code below to add me as a friend (note: add group).

How to Log Dropped Packets from the Linux IPTables Firewall to a Log File

Blog

Guest

Blog

How to Log Dropped Packets from the Linux IPTables Firewall to a Log File

CSDN Blog: https://blog.csdn.net/qq_25599925

How to Log Dropped Packets from the Linux IPTables Firewall to a Log File

Juejin Blog: https://juejin.cn/user/4262187909781751

How to Log Dropped Packets from the Linux IPTables Firewall to a Log File

Long press to recognize the QR code to visit the blog website for more quality original content.

Related posts

  1. Understanding Linux Permissions
  2. Embedded Linux: Introduction to Linux Library Functions
  3. What is the Difference Between the Linux Kernel and the Linux System? You’ll Understand After Reading This!
  4. How to Use man to View Help Documentation on Linux
  5. Mastering Linux File I/O: In-Depth Exploration and Practical Skills from Open to Write!
  6. Setting Up an Embedded Development IDE with VS Code
  7. Installing OpenWrt Themes: A Step-by-Step Guide
  8. Technical Innovations in Industrial Control Systems: A Comprehensive Analysis of Siemens PLC
  9. Introduction to MQTT Protocol Concepts
  10. Adventures in HTTP (Part 1)
  11. Common Software Tools for Embedded Development
  12. Python Indentation Rules: Writing Standards for Improved Code Readability
  13. Efficient Combination of mmap and Socket in Embedded Linux
  14. Introduction to Linux Operating System
  15. Learn Linux File System and Common File Operations Easily!
  16. Understanding Linux System Architecture
  17. The Power of the Linux ip Command!
  18. Linux Network Namespaces
  19. Comprehensive Analysis of Linux Permissions: An Essential Guide from Beginner to Expert!

Leave a Comment