Configure logging in IPtables

Its useful to have a dedicated logfile which contains details of packets which are dropped or rejected by your iptables firewall. This will allow to you see when connection attempts are being made to your server by IP addresses which are being blocked. This can also be extremely useful when troubleshooting your iptables firewall.

If you’re not up to speed with iptables, then you’ll need to find another guide to work through. This article is only concerned with how to apply logging to your existing ruleset.

If you’re not currently logging anything in iptables, I’m going to assume that you’re DROPing packets you don’t want rather than REJECTing them. To start logging things, we’re going to create a new chain, called LOGDROP, which performs both LOG and DROP functions.

This is done like this, towards the start of your iptables script:

#Create a LOGDROP chain to log and drop packets
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG  --log-level 7
/sbin/iptables -A LOGDROP -j DROP

Now that the new chain is defined, it can be applied to your existing rules. The following example is an iptables rule which will LOG and DROP all incoming TCP and UDP traffic that it not matched by a previous rule (you would typically find a rule like this at the bottom of your iptables script):

#Log and Drop all other incoming TCP and UDP traffic
/sbin/iptables -A INPUT -i $EXT_INT -p TCP -j LOGDROP
/sbin/iptables -A INPUT -i $EXT_INT -p UDP -j LOGDROP

In summary, you’ll be jumping to the LOGDROP chain instead of the DROP chain.

Once you’ve made these changes to your firewall script, you’ll need to install it again. On my systems, I would do this by typing:

/root/iptables/installrules.sh

Once you’ve applied this into your iptables script, you’ll need tell syslog to log the information to a separate file, rather than /var/log/messages which is the default.

To do this, edit the /etc/syslog.conf file and append the following entry:

#Send IPtables LOGDROPS to /var/log/iptables
kern.=debug                           /var/log/iptables

You’ll notice that the log level specified here is debug. When we created the LOGDROP chain earlier, we applied log level 7 which is debug.

Once you made the changes to the syslog.conf file, you can create a blank log file:

touch /var/log/iptables

With that done, you’ll need to restart syslog:

/etc/init.d/syslog restart

Now, all packets which are dropped by your firewall will be logged in /var/log/iptables.