iptables how to log ALL dropped incoming packets

A lot of people just have a -j DROP to drop all unwanted traffic or traffic not explicitly allowed but there is a better solution if you want real and proper logging:

Take an example iptables rules file

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -j LOG --log-prefix  "ipt denied: " --log-level 4
-A LOGGING -j DROP


Add the above in bold below your last allowed incoming traffic rule and all dropped packets can be seen in dmesg or /var/log/messages

  1. We create a new chain called "LOGGING"  -N LOGGING
  2. We are then passing all of our packets to that chain. -A INPUT -j LOGGING
  3. Log all packets that are about to dropped with prefix "ipt denied:" (of course change it how you like) -A LOGGING -j LOG --log-prefix  "ipt denied: " --log-level 4
  4. Drop all packets in the LOGGING Chain -A LOGGING -j DROP

So in essence we change the -j DROP to the 4 lines in bold so that we have logging.

 

Checking dmesg or /var/log/messages should show similar to the following:

 

ipt denied: IN=eth0 OUT= MAC= SRC=194.113.106.121 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=246 ID=45694 PROTO=TCP SPT=43848 DPT=54270 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=45.227.254.18 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=245 ID=4350 PROTO=TCP SPT=56638 DPT=30450 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=176.119.7.50 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=52004 PROTO=TCP SPT=54661 DPT=9153 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=109.248.9.116 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=49390 PROTO=TCP SPT=42898 DPT=37318 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=77.72.85.26 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=40508 PROTO=TCP SPT=49454 DPT=3978 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=115.74.194.77 DST=192.198.5.8 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=10246 PROTO=TCP SPT=13207 DPT=23 WINDOW=24567 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=176.119.7.10 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=36884 PROTO=TCP SPT=51349 DPT=3992 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=87.27.61.197 DST=192.198.5.8 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=44567 DF PROTO=TCP SPT=48364 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.38 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=11928 PROTO=TCP SPT=8080 DPT=1013 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.38 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=61268 PROTO=TCP SPT=8080 DPT=3303 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.18 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=17889 PROTO=TCP SPT=42264 DPT=7129 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=194.113.106.121 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=247 ID=64437 PROTO=TCP SPT=43848 DPT=58247 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=220.133.67.9 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=64397 DF PROTO=TCP SPT=27852 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=101.255.58.22 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=4583 DF PROTO=TCP SPT=53537 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0

 

How can I log the messages to a separate file eg. /var/log/iptables.log or /var/log/iptables-dropped.log?

The file name below can be arbitrary but it should have meaning to you.

Note that I am searching for the string "ipt denied: " this depends on what you have set as your log prefix in the example above.

vi /etc/rsyslog.d/10-iptables.conf

:msg, contains, "ipt denied: " -/var/log/iptables.log
& ~


#note we need the "& ~" below the first line otherwise it will still send the log to where ever it would have been (eg. often /var/log/messages).
#the & ~ means to delete



service rsyslog restart

 

You should now notice that /var/log/messages has nothing for iptables and that you have /var/log/iptables.log


Tags:

iptables, incoming, packetsa, unwanted, explicitly, logging, input, established, eth, icmp, prefix, quot, ipt, bold, packets, dmesg, var, essence, src, dst, len, tos, prec, ttl, proto, tcp, spt, dpt, res, syn, urgp, df,

Latest Articles

  • vi cannot copy and paste automatic visual mode solution
  • python3 error Ubuntu Linux error solution SyntaxError: invalid syntax line 12 pip{sys.version_info.major}
  • Could not read response to hello message from hook [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true: Connection reset by peer
  • -bash: expr: command not found Linux Debian Mint Ubuntu
  • How to remove metadata from pdf on Linux Ubuntu
  • How to install and configure haproxy on Linux Ubuntu Debian
  • Linux Ubuntu Mint Gnome keyboard Typing not working in certain application or window solution
  • talib/_ta_lib.c:747:10: fatal error: ta-lib/ta_defs.h: No such file or directory
  • How to install Windows or other OS and then bring to another computer by using a physical drive and Virtual Machine with QEMU
  • PXE-E23 Error BOOTx64.EFI GRUB booting is 0 bytes tftp pxe dhcp solution NBP filesize is 0 Bytes
  • vagrant install on Debian Mint Ubuntu Linux RHEL Quick Setup Guide Tutorial
  • RHEL 8 CentOS 8, Alma Linux 8, Rocky Linux 8 System Not Booting with RAID or on other servers/computers Solution for dracut and initramfs missing kernel modules
  • How to Upgrade to Debian 11 from Version 8,9,10
  • Ubuntu Linux Mint Debian Redhat Cannot View Files on Android iPhone USB File Transfer Not Working Solution
  • Virtualbox Best Networking Mode In Lab/Work Environment without using NAT Network or Bridged
  • debootstrap how to install Ubuntu, Mint, Debian install
  • Linux grub not using UUID for the root device instead it uses /dev/sda1 or other device name solution
  • How To Restore Partition Table on Running Linux Mint Ubuntu Debian Machine
  • Debian Ubuntu apt install stop daemon questions/accept the default action without prompting
  • iptables NAT how to enable PPTP in newer Debian/Ubuntu/Mint Kernels Linux