iptables how to log ALL dropped incoming packets

A lot of people just have a -j DROP to drop all unwanted traffic or traffic not explicitly allowed but there is a better solution if you want real and proper logging:

Take an example iptables rules file

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -j LOG --log-prefix  "ipt denied: " --log-level 4
-A LOGGING -j DROP


Add the above in bold below your last allowed incoming traffic rule and all dropped packets can be seen in dmesg or /var/log/messages

  1. We create a new chain called "LOGGING"  -N LOGGING
  2. We are then passing all of our packets to that chain. -A INPUT -j LOGGING
  3. Log all packets that are about to dropped with prefix "ipt denied:" (of course change it how you like) -A LOGGING -j LOG --log-prefix  "ipt denied: " --log-level 4
  4. Drop all packets in the LOGGING Chain -A LOGGING -j DROP

So in essence we change the -j DROP to the 4 lines in bold so that we have logging.

 

Checking dmesg or /var/log/messages should show similar to the following:

 

ipt denied: IN=eth0 OUT= MAC= SRC=194.113.106.121 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=246 ID=45694 PROTO=TCP SPT=43848 DPT=54270 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=45.227.254.18 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=245 ID=4350 PROTO=TCP SPT=56638 DPT=30450 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=176.119.7.50 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=52004 PROTO=TCP SPT=54661 DPT=9153 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=109.248.9.116 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=49390 PROTO=TCP SPT=42898 DPT=37318 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=77.72.85.26 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=40508 PROTO=TCP SPT=49454 DPT=3978 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=115.74.194.77 DST=192.198.5.8 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=10246 PROTO=TCP SPT=13207 DPT=23 WINDOW=24567 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=176.119.7.10 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=36884 PROTO=TCP SPT=51349 DPT=3992 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=87.27.61.197 DST=192.198.5.8 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=44567 DF PROTO=TCP SPT=48364 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.38 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=11928 PROTO=TCP SPT=8080 DPT=1013 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.38 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=61268 PROTO=TCP SPT=8080 DPT=3303 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.18 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=17889 PROTO=TCP SPT=42264 DPT=7129 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=194.113.106.121 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=247 ID=64437 PROTO=TCP SPT=43848 DPT=58247 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=220.133.67.9 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=64397 DF PROTO=TCP SPT=27852 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=101.255.58.22 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=4583 DF PROTO=TCP SPT=53537 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0

 

How can I log the messages to a separate file eg. /var/log/iptables.log or /var/log/iptables-dropped.log?

The file name below can be arbitrary but it should have meaning to you.

Note that I am searching for the string "ipt denied: " this depends on what you have set as your log prefix in the example above.

vi /etc/rsyslog.d/10-iptables.conf

:msg, contains, "ipt denied: " -/var/log/iptables.log
& ~


#note we need the "& ~" below the first line otherwise it will still send the log to where ever it would have been (eg. often /var/log/messages).
#the & ~ means to delete



service rsyslog restart

 

You should now notice that /var/log/messages has nothing for iptables and that you have /var/log/iptables.log


Tags:

iptables, incoming, packetsa, unwanted, explicitly, logging, input, established, eth, icmp, prefix, quot, ipt, bold, packets, dmesg, var, essence, src, dst, len, tos, prec, ttl, proto, tcp, spt, dpt, res, syn, urgp, df,

Latest Articles

  • iptables NAT how to enable PPTP in newer Debian/Ubuntu/Mint Kernels Linux
  • Grandstream Phone Vulnerability Security Issue Remote Backdoor Connection to 207.246.119.209:3478
  • Linux How to Check Which NIC is Onboard eth0 or eth1 Ubuntu Centos Debian Mint
  • VboxManage VirtualBox NAT Network Issues Managment Troubleshooting
  • Dell PowerEdge Server iDRAC Remote KVM/IP Default Username, Password Reset and Login Information Solution
  • Nvidia Tesla GPUs K40/K80/M40/P40/P100/V100 at home/desktop hacking, cooling, powering, cable solutions Tutorial AIO Solutions
  • Stop ls in Linux Debian Mint CentOS Ubuntu from applying quotes around filenames and directory names
  • Thunderbird Attachment Download Error Corrupt Wrong filesize of 29 or 27 bytes Solution
  • Generic IP Camera LAN Default IP Settings DVR
  • Ubuntu Debian Mint Linux How To Update Initramfs Manually update-initramfs
  • Enable Turbo Mode for CPU Ubuntu Linux Mint Debian Redhat
  • docker / kubernetes breaks Proxmox QEMU KVM Bridge VMs
  • How To Change Storage Location in Docker.io
  • RTL8812BU and RTL8822BU Linux Driver Ubuntu Setup Archer T3U Plus
  • Kazam video blank/high size and not working when recording solution
  • Cisco UC CME How To Enable Licensed Features
  • from pip._internal.cli.main import main File "/usr/local/lib/python3.5/dist-packages/pip/_internal/cli/main.py", line 60 sys.stderr.write(f"ERROR: {exc}") from pip._internal.cli.main import main File "/usr/local/lib/python3.5/dist-packag
  • ModuleNotFoundError: No module named 'pip._internal' solution python
  • grub blank screen how to manually boot kernel and initrd Linux Ubuntu Debian Centos won't boot solution
  • Cisco Switch / Router How To Restore Factory Default Settings