On Debian and CentOS write detailed iptables logs to there own file.

Iptables default drop and log rules

After all incoming rules:

$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j LOG --log-level debug --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 5/s --limit-burst 10 --log-prefix "unsolicited "
$IPTABLES -A REJECTLOG -j DROP
# Reject all other incoming traffic:
$IPTABLES -A INPUT -j REJECTLOG

At end of all outgoing rules:

$IPTABLES -A OUTPUT -j LOG --log-prefix "bad outgoing " --log-uid --log-tcp-sequence --log-ip-options --log-tcp-options -m limit --limit 2/s --limit-burst 4
$IPTABLES -A OUTPUT -j DROP

Iptables and syslogd

On Debian by default rsyslog will write the logs from these iptables rules to the following locations:

  • Incoming drops will be logged to /var/log/debug</li>
  • Outgoing drops to /var/log/messages.</li>

The section in rsyslog.conf that deals with this:

# Some "catch-all" log files.
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug

*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages

On CentOS I had to add a line in the rsyslog.conf for debug level messages to even be written anywhere:

*.=debug -/var/log/debug
Move noisy iptables drops elsewhere

I like to log all unsolicited traffic to one place, rsyslog (default syslog on CentOS and Debian) will let us filter alerts like this. Having iptables fill up my system logs is not too useful!

Create /etc/rsyslog.d/iptables.conf and put this in it:

:msg, startswith, "unsolicited" -/var/log/iptables.log
& ~

Restart the rsyslog daemon.

The first line means send all messages that start with “unsolicited” to /var/log/iptables.log. The next line (the: & ~) will discard anything not matched on the previous line. If this does not work for you try using “contains” instead of “startswith” - I have found it to be different on the CentOS and Debian systems I was using.

Log rotate

Add the new iptables log to be managed by log rotate by putting this in /etc/logrotate.conf

/var/log/iptables.log {
  weekly
  create 0660 root root
  rotate 6
  size 2048k
  rotate 1
}

programs to complement this

  • Psad (port scan attack detector) offers more logging, lookups on attackers and responding: http://cipherdyne.org/psad/
  • fwlogwatch is a useful packet filter / firewall / IDS log analyzer. Can build nice html summary’s: http://fwlogwatch.inside-security.de/
  • A port knocking program like knockknock: http://www.thoughtcrime.org/software/knockknock/