Help - Search - Members - Calendar
Full Version: Iptables Not Logging
Linuxhelp > Support > Technical Support
lussumo
I set up iptables on my server a day or so ago. I wrote (I think) a pretty decent script to set up my rules. I have it running, and I've even tried various tools to break into it without any success - the script is working as it should.

Except...

I've set up the script to log *everything*, but I can't find *anything* being logged in my /var/log files

I wasn't sure which file it would be logged in, so I searched them all and didn't find a single thing.

I am running Debian, and I just used apt-get to install iptables. Was there some other kind of setup I had to do in order to make it log properly?
Robert83
Hi,

CODE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -N drop-and-log-it       <---this should work (Hughesjr showed me this, and it logs everything that is dropped
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info <--- by the firewall
iptables -A drop-and-log-it -j DROP <--- in your /var/log/messages
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it  <---here you use drop-and-log-it NOT DROP
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it <--- here you use drop-and-log-it NOT DROP
iptables -A PREROUTING -t nat -p tcp -d ***.***.***.*** --dport 80 -j DNAT --to 192.168.100.2:80
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 217.26.69.17


I hope this helps you a little bit.

Sincerelely
Robert B
lussumo
I don't know, robert.
I think the way I've set up my rules should work just fine and the real issue is that it's not logging into any files because of some other non-rules based issue. But why debate? Here's my ruleset...

CODE
#!/bin/sh
#
# Make this executable with
# chmod 700 iptables-rules
# execute with ./iptables-rules

# save typing & confusion with variables

IP_LOCAL=***.***.***.*** (commented out for obvious reasons)
IPTABLES=/sbin/iptables
test -x $IPTABLES || exit 5

case "$1" in
start)
echo -n "Loading Packet Filters"

# SETUP -- stuff necessary for any bastion host

# Load kernel modules first
# modprobe ip_tables

# Flush active rules and custom tables
$IPTABLES --flush
$IPTABLES --delete-chain

# Set default deny policies for all three default chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Give free reign to the loopback interfaces, ie. local
# processes may connect to other processes' listening ports.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Do some rudimentary anti-IP-spoofing drops.
# ie. Drop any source IP address which is impossible.
$IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 192.168.0.0/8 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 172.16.0.0/8 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP

# The following will NOT interfere with local inter-process traffic, whose
# packets have the source IP of the local loopback interface, eg 127.0.0.1
$IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix "Spoofed source IP"
$IPTABLES -A INPUT -s $IP_LOCAL -j DROP

# Tell netfilter that all TCP sessions do indeed begin with SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan attempt?"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# The packet filtering policies

# INBOUND POLICY
# (applies to packets entering our network interface from the network, and addressed to this host)

# Accept inbound packets that are part of previously OK'd sessions
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

# Accept inbound packets which initiate SSH sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW

# Accept inbound packets which initiate HTTP Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW

# Accept inbound packets which initiate SMTP Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 25 -m state --state NEW

# Accept inbound packets which initiate IMAP SSL (mail) Sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 993 -m state --state NEW

# Log and drop anything not accepted above
$IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"
$IPTABLES -A INPUT -j DROP

# OUTBOUND POLICY
# (applies to packets sent to the network interface (NOT loopback) from local processes)

# If it's part of an approved connection, let it out
$IPTABLES -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow outbound DNS queries (eg. to resolve IPs in logs)
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT

# Allow outbound http requests
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

# Allow outbound SMTP sessions (eg. to send mail)
$IPTABLES -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

# Log & drop anything not accepted above (if for no other reason, for troubleshooting)
$IPTABLES -A OUTPUT -j LOG --log-prefix "Dropped by default (OUTPUT):"
$IPTABLES -A OUTPUT -j DROP

# Log & drop ALL incoming packets destined anywhere but here.
# (We already set hte default FORWARD policy to DROP. But this is yet another free, reassuing redundancy)
$IPTABLES -A FORWARD -j LOG --log-prefix "Attempted FORWARD? Dropped:"
$IPTABLES -A FORWARD -j DROP

;;

wide_open)
echo -n "DANGER!! Unloading Packet Filters!!"
$IPTABLES --flush
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
;;

lockout)
echo -n "Unloading all fw rules, leaving default drop policies"
$IPTABLES --flush
;;

status)
echo -n "Querying iptables status (via iptables --list)..."
$IPTABLES --line-numbers -v --list
;;

*)
echo "Usage: $0 {start|lockout|wide_open|status}"
exit 1
;;
esac
lussumo
I've just noticed that my kern.log is totally empty, too.
Is that normal?
Robert83
Hi,

what does

/etc/init.d/syslog status show?



Sincerely
Robert B
lussumo
I don't have a /etc/init.d/syslog file.
I've got /etc/init.d/sysklogd, but that doesn't have a status option.

It has {start|stop|reload|restart|force-reload|reload-or-restart}

I tried /etc/init.d/sysklogd restart, and it said:

Stopping system log daemon: syslogd.
Starting system log daemon: syslogd.

I assume that means it *was* running all along - if that is what you were getting at...

I did that about an hour ago, and there is still nothing logged for iptables and the kern.log is still empty.
hughesjr
debian sid, sarge, or woody?

you should have a file called /etc/syslog.conf. it should look similar to this:
CODE
#  /etc/syslog.conf     Configuration file for syslogd.
#
#                       For more information see syslog.conf(5)
#                       manpage.
                                                                                                                           
#
# First some standard logfiles.  Log by facility.
#
                                                                                                                           
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
uucp.*                          /var/log/uucp.log
                                                                                                                           
#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err
                                                                                                                           
# Logging for INN news system
#
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice
                                                                                                                           
#
# Some `catch-all' logfiles.
#
*.=debug;\
       auth,authpriv.none;\
       news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
       auth,authpriv.none;\
       cron,daemon.none;\
       mail,news.none          -/var/log/messages
                                                                                                                           
#
# Emergencies are sent to everybody logged in.
#
*.emerg                         *
                                                                                                                           
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8
                                                                                                                           
# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
       news.crit;news.err;news.notice;\
       *.=debug;*.=info;\
       *.=notice;*.=warn       |/dev/xconsole


This is from a Sarge install.
lussumo
Here's mine (it's debian woody)

CODE
#  /etc/syslog.conf    Configuration file for syslogd.
#
#      For more information see syslog.conf(5)
#      manpage.

#
# First some standard logfiles.  Log by facility.
#

auth,authpriv.*      /var/log/auth.log
*.*;auth,authpriv.none  -/var/log/syslog
#cron.*    /var/log/cron.log
daemon.*      -/var/log/daemon.log
kern.*    -/var/log/kern.log
lpr.*    -/var/log/lpr.log
mail.*    -/var/log/mail.log
user.*    -/var/log/user.log
uucp.*    /var/log/uucp.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info      -/var/log/mail.info
mail.warn      -/var/log/mail.warn
mail.err      /var/log/mail.err

# Logging for INN news system
#
news.crit      /var/log/news/news.crit
news.err      /var/log/news/news.err
news.notice      -/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;
    auth,authpriv.none;
    news.none;mail.none    -/var/log/debug
*.=info;*.=notice;*.=warn;
    auth,authpriv.none;
    cron,daemon.none;
    mail,news.none  -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg    *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;
#    news.=crit;news.=err;news.=notice;
#    *.=debug;*.=info;
#    *.=notice;*.=warn    /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;
    news.crit;news.err;news.notice;
    *.=debug;*.=info;
    *.=notice;*.=warn    |/dev/xconsole
hughesjr
With that setup, your IPTABLES logs should be in /var/log/kern.log (and also /var/log/messages) ... and your kernel log should not be blank.
lussumo
Yeah, I finally got it working with the help of some tech support ppl...

I had to restart /etc/init.d/klogd and it started logging just fine.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.