A lot of people just have a -j DROP to drop all unwanted traffic or traffic not explicitly allowed but there is a better solution if you want real and proper logging:

Take an example iptables rules file

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -j LOG --log-prefix  "ipt denied: " --log-level 4
-A LOGGING -j DROP

Add the above in bold below your last allowed incoming traffic rule and all dropped packets can be seen in dmesg or /var/log/messages

1. We create a new chain called "LOGGING"  -N LOGGING
2. We are then passing all of our packets to that chain. -A INPUT -j LOGGING
3. Log all packets that are about to dropped with prefix "ipt denied:" (of course change it how you like) -A LOGGING -j LOG --log-prefix  "ipt denied: " --log-level 4
4. Drop all packets in the LOGGING Chain -A LOGGING -j DROP

So in essence we change the -j DROP to the 4 lines in bold so that we have logging.

Checking dmesg or /var/log/messages should show similar to the following:

ipt denied: IN=eth0 OUT= MAC= SRC=194.113.106.121 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=246 ID=45694 PROTO=TCP SPT=43848 DPT=54270 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=45.227.254.18 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=245 ID=4350 PROTO=TCP SPT=56638 DPT=30450 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=176.119.7.50 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=52004 PROTO=TCP SPT=54661 DPT=9153 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=109.248.9.116 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=49390 PROTO=TCP SPT=42898 DPT=37318 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=77.72.85.26 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=40508 PROTO=TCP SPT=49454 DPT=3978 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=115.74.194.77 DST=192.198.5.8 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=10246 PROTO=TCP SPT=13207 DPT=23 WINDOW=24567 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=176.119.7.10 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=36884 PROTO=TCP SPT=51349 DPT=3992 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=87.27.61.197 DST=192.198.5.8 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=44567 DF PROTO=TCP SPT=48364 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.38 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=11928 PROTO=TCP SPT=8080 DPT=1013 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.38 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=61268 PROTO=TCP SPT=8080 DPT=3303 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=185.255.31.18 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=17889 PROTO=TCP SPT=42264 DPT=7129 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=194.113.106.121 DST=192.198.5.8 LEN=40 TOS=0x08 PREC=0x20 TTL=247 ID=64437 PROTO=TCP SPT=43848 DPT=58247 WINDOW=1024 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=10.10.10.10 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 PROTO=2
ipt denied: IN=eth0 OUT= MAC= SRC=220.133.67.9 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=64397 DF PROTO=TCP SPT=27852 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
ipt denied: IN=eth0 OUT= MAC= SRC=101.255.58.22 DST=192.198.5.8 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=4583 DF PROTO=TCP SPT=53537 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0


How can I log the messages to a separate file eg. /var/log/iptables.log or /var/log/iptables-dropped.log?

The file name below can be arbitrary but it should have meaning to you.

Note that I am searching for the string "ipt denied: " this depends on what you have set as your log prefix in the example above.

vi /etc/rsyslog.d/10-iptables.conf

:msg, contains, "ipt denied: " -/var/log/iptables.log
& ~

#note we need the "& ~" below the first line otherwise it will still send the log to where ever it would have been (eg. often /var/log/messages).
#the & ~ means to delete


service rsyslog restart

You should now notice that /var/log/messages has nothing for iptables and that you have /var/log/iptables.log

iptables, incoming, packetsa, unwanted, explicitly, logging, input, established, eth, icmp, prefix, quot, ipt, bold, packets, dmesg, var, essence, src, dst, len, tos, prec, ttl, proto, tcp, spt, dpt, res, syn, urgp, df,

Latest Articles