A way to make iptables write to your log and not duplicate to the system
The note describes setting up iptables logging in a separate file. Most manuals offer two approaches, but unfortunately, they never worked on Debian. More precisely, the logs were written in
Netfilter itself does not write logs in principle. In order for it to start doing this, you must create a rule with the action LOG. Details can be found in the iptables tutorial .
As an example, I will take the rule of logging pings and the rule allowing them:
Now, the event falling under this rule will be written to
When there are many hits in the rules, it is impossible to analyze the system messages, since iptables logs flood the entire log file.
To avoid the above, you need to change the criteria in the message prefix, for example, like this:
And create the file
Options:
Restart the rsyslog daemon:
Now the message in the log
Finally, Iptables writes to your personal log withoutmessing with touching system.
You can go further by creating rules for different events and send each event to your own log, for example:
Create rules for logging each file:
')
Restart rsyslog:
With this configuration, the Iptables log is divided into three parts and each is written to its own file.
You can configure the rotation of iptables logs by creating the
or for separate:
Where
You can make sure that the rotation is correct by forcibly launching it:
Performance has been tested on Debian 7 and Debian 8. It should also work on all distributions using iptables and rsyslog.
/var/log/iptables.log , but continued to be duplicated in /var/log/messages and /var/log/syslog , which was very annoying and the task was incomplete. Finding a way not to duplicate messages in the system, I decided to publish the results.Start
Netfilter itself does not write logs in principle. In order for it to start doing this, you must create a rule with the action LOG. Details can be found in the iptables tutorial .
As an example, I will take the rule of logging pings and the rule allowing them:
iptables -A INPUT -p ICMP --icmp-type 8 -j LOG --log-prefix "Ping detected: " iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT Now, the event falling under this rule will be written to
/var/log/messages and /var/log/syslog : kernel: [122972.300408] Ping detected: IN=eth0 OUT= MAC=00:64:d9:36:7b:d7:00:24:2d:a6:e2:43:08:91 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=124 ID=23020 PROTO=ICMP TYPE=8 CODE=0 ID=33602 SEQ=2462 When there are many hits in the rules, it is impossible to analyze the system messages, since iptables logs flood the entire log file.
Customization
To avoid the above, you need to change the criteria in the message prefix, for example, like this:
iptables -A INPUT -p ICMP --icmp-type 8 -j LOG --log-prefix "Iptables: Ping detected: " iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT And create the file
/etc/rsyslog.d/iptables.conf with the following content: echo ':msg, contains, "Iptables: " -/var/log/iptables.log' > /etc/rsyslog.d/iptables.conf echo '& ~' >> /etc/rsyslog.d/iptables.conf Options:
& ~ - says that no further processing of the record should be done, so it will not fall into other log files."Iptables: " is the same log-prefix - the criterion by which rsyslog decides to redirect the log to the desired file. The prefix could not be changed, but left as is - Ping detected , but if the rule is not one, then it is more convenient to have a common prefix for all the rules, which was made./var/log/iptables.log - the log file itself.Restart the rsyslog daemon:
/etc/init.d/rsyslog restart Now the message in the log
/var/log/iptables.log looks like this: kernel: [122972.300408] Iptables: Ping detected: IN=eth0 OUT= MAC=00:64:d9:36:7b:d7:00:24:2d:a6:e2:43:08:91 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=124 ID=23020 PROTO=ICMP TYPE=8 CODE=0 ID=33602 SEQ=2462 Finally, Iptables writes to your personal log without
You can go further by creating rules for different events and send each event to your own log, for example:
# INVALID: iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "Iptables: Invalid packet: " # INPUT , : iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "Iptables: INPUT packet died: " # FORWARD , : iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "Iptables: FORWARD packet died: " Create rules for logging each file:
echo ':msg, contains, "Iptables: Invalid packet" -/var/log/iptables_invalid.log' > /etc/rsyslog.d/iptables_invalid.conf echo '& ~' >> /etc/rsyslog.d/iptables_invalid.conf echo ':msg, contains, "Iptables: INPUT" -/var/log/iptables_input.log' > /etc/rsyslog.d/iptables_input.conf echo '& ~' >> /etc/rsyslog.d/iptables_input.conf echo ':msg, contains, "Iptables: FORWARD" -/var/log/iptables_forward.log' > /etc/rsyslog.d/iptables_forward.conf echo '& ~' >> /etc/rsyslog.d/iptables_forward.conf ')
Restart rsyslog:
/etc/init.d/rsyslog restart With this configuration, the Iptables log is divided into three parts and each is written to its own file.
Iptables log rotation
You can configure the rotation of iptables logs by creating the
/etc/logrotate.d/iptables file with the following contents. For one common log: /var/log/iptables.log { daily rotate 30 compress missingok notifempty sharedscripts } or for separate:
/var/log/iptables_invalid.log { daily rotate 30 compress missingok notifempty } /var/log/iptables_input.log { daily rotate 30 compress missingok notifempty } /var/log/iptables_forward.log { daily rotate 30 compress missingok notifempty } Where
daily - rotate dailyrotate 30 - save the last 30 files rotatedcompress - compressmissingok - missing file is not an errornotifempty - do not process empty filesYou can make sure that the rotation is correct by forcibly launching it:
logrotate -f /etc/logrotate.conf Performance has been tested on Debian 7 and Debian 8. It should also work on all distributions using iptables and rsyslog.
Source: https://habr.com/ru/post/259169/
All Articles