On Thursday 08 December 2005 11:04 pm, Amadeus W. M. wrote: snip > Suppose you have some rule that you want to log, say > > /sbin/iptables -A INPUT ... -j DROP > > Then you create an identical rule with the one above, except that you > replace the target -j DROP with -j LOG --log-prefix "SOMETHING TO GREP > FOR". > > So not only do you log, but you specify some string as well, specific to > that rule, that you could easily grep for in /var/log/messages. > > For instance, to log all NEW tcp packets on the priviledged (low numbered) > ports, you would do this: > > /sbin/iptables -A INPUT -p tcp -m tcp --dport 0:1023 -m state --state NEW > -j LOG --log-prefix "LOW PORT TCP CONNECTION: " > > Here you probably don't want to have a matching -j DROP rule, because you > may want to allow mail, http, etc. > > Be careful what you log though, because it may fill up your log files. For > instance, you don't want to log an entire ftp transfer, usually the first > packet (--state NEW) will do. You could get really creative and modify syslog.conf and set it up with a log file like /var/log/iptables for firewall logging. -- Some people have convictions. Some people have opinions I think I'll have a cheeseburger!
