May 4, 2012
tom

Increasing `iptables` verbosity and determine logging location on a CentOS based server?

Question

Having an odd problem here with regards to pound reverse proxy no longer directing traffic properly on a CentOS based distro (ClearOS 6.2.x).

I believe that it’s an iptables issue or something else in that I see nothing to even indicate inbound traffic in my /var/log/messages or /var/log/system.

How can I increase iptables logging verbosity and verify what is going on with it (in terms of certainty as to where the logging data is being kept)?

Asked by ylluminate

Answer

Below are the general steps I’ve taken in the past to turn on iptables logging.

Modify Logging
- sudo vi /etc/syslog.conf
- kern.warning /var/log/iptables.log
 - sudo /sbin/service syslog restart
 - sudo vi /etc/logrotate.d/syslog
- If this file is already there, add /var/log/iptables.log to the first line
- If the file is not there, add it:
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/iptables.log {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
Implement firewall rules
• sudo vi /etc/sysconfig/iptables.script
• sudo chmod 700 /etc/sysconfig/iptables.script
• sudo /etc/sysconfig/iptables.script

Within my iptables script, I have all of my generic allow rules at the top and then towards the bottom I have some specific logging rules. Below are a few examples.

# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "
# Log outbound traffic for anything not equal private ip ranges (this is defined in some previous rules)
/sbin/iptables -A OUTPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Outbound Traffic: "
# Log traffic that doesn't hit a rule above (stuff that may be blocked in the future)
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Potentially Dropped Traffic: "

There are obviously a ton of things you can do with this. Here is a good link for some generic information.

Answered by Eric

Related posts:

  1. iptables logging not working?
  2. iptables logging question
  3. iptables logging flooding /var/log/messages
  4. flush iptables with ‘iptables-apply’ on ubuntu
  5. Problem with sendmail combined with iptables

Leave a comment