The man page is my friend. I am somewhat less confused than before (I hope).
I was looking for info on how to log events; in particular, REJECT events. The relevant portion of the man page is below. I interpret this to mean that I need two separate lines in my iptables file. Therefore, instead of: ... # HANMAIL.NET spammers -A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j REJECT -A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j REJECT ... I would need: ... # HANMAIL.NET spammers -A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j LOG --log-level INFO --log-prefix IPTABLES-REJECT --log-ip-options --log-tcp-options -A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16 -j REJECT -A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j LOG --log-level INFO --log-prefix IPTABLES-REJECT --log-ip-options --log-tcp-options -A RH-Lokkit-0-50-INPUT -s 61.79.0.0/16 -j REJECT ...
To log all events of INFO or higher priority that meet those input criteria. Have I got this right?
I think it is slightly different to how you have put it.
What happens is that the rules you give above *will* go to INFO level of syslog, and it depends on how /etc/syslogd.conf if the events are logged at all. ie syslogd.conf must be set up to log 'events of INFO or higher priority'.
I find that logging from iptables is ugly and difficult to read, especially when it all goes to /var/log/messages .
I tell anything kernel* level of syslog to be logged in a file /var/log/kernelmessages in /etc/syslogd.conf by modifying the kernel* line -
kern.* /var/log/kernelmessages
I then use a rule like:
-A RH-Lokkit-0-50-INPUT -s 61.78.0.0/16-j LOG --log-level debug --log-prefix "IPTABLES-REJECT: " --log-ip-options --log-tcp-options
There are other ways to acheive a similar thing BTW, by using a local unused syslog level perhaps.
Logging from iptables also tends to generate a big log file, so it may be helpfull to -m limit --limit 5 --limit-burst 10 as well. This will help prevent monster log files...
Cheers, Michael
