IptablesBy default it has the filter rule in "Accept all" mode, that is, it lets in and out all connections from or to our PC, but what if we want to log all the information about connections made to our servers or PCs?
Note: The procedure that I will now execute is valid 100% in distributions Debian/debian-based, so if you use Slackware, Fedora, CentOS, OpenSuSe, the procedure may not be the same, we recommend reading and understanding your distribution's login system before applying what is explained below. There is also the possibility of installing rsyslog in your distribution, if it is available in the repositories, although in this tutorial, syslog is also explained at the end.
All good so far, but whatWhere are we going to login? Easy, in the file «/var/log/firewall/iptables.log", what does not exist, until we believe it ourselves ...
1- We must create the file «iptables.log»Inside the folder«/ var / log / firewall»That we must create it, because it does not exist either.
mkdir -p / var / log / firewall /
touch /var/log/firewall/iptables.log
2- Permissions, very important ...
chmod 600 /var/log/firewall/iptables.log
chown root: adm /var/log/firewall/iptables.log
3- rsyslog, the Debian login daemon, reads the configuration from «/etc/rsyslog.d«, So we must create a file that I will call«firewall.conf»From which rsyslog can interpret what we want to do.
touch /etc/rsyslog.d/firewall.conf
And inside we leave him fall out gently the following content:
: msg, contains, "iptables:" - / var / log / firewall / iptables.log
& ~
I don't have the slightest idea,what are these couple of lines doing?
The first line checks the logged data for the string «iptables: »And adds it to the file«/var/log/firewall/iptables.log«
The second, stops the processing of the information logged in with the previous pattern so that it does not continue to be sent to «/ var / log / messages«.
4- Rotating the log file, with logrotate.
We must create within «/etc/logrotate.d/" the file "firewall»Which will contain the following content:
/var/log/firewall/iptables.log
{
rotate 7
daily
size 10M
dateext
MISSING
create 600 root adm
notifempty
compress
delaycompress
postrotate
invoke-rc.d rsyslog reload> / dev / null
endscript
}
In order to rotate the logs 7 times before deleting them, 1 time a day, maximum log size 10MB, compressed, dated, without giving an error if the log does not exist, created as root.
5- Restart, like all happy ending xD, the rsyslog daemon:
/etc/init.d/rsyslog restart
How to prove that all that is working?
Let's try SSH.
Install OpenSSH (in case they don't have it installed ...):
apt-get install openssh-server
Before continuing, we must run as root in a console:
iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "iptables: " --log-level 4
Executing this iptables statement will log enough info to show that what we have done is not in vain. In this sentence we tell iptables to log all information that comes to it through port 22. To test with other services, just change the port number, like 3306 for MySQL, just to cite an example, if you want more information, read this very well documented tutorial and based on typical examples of the most used configurations.
SSH uses port 22 by default, so we will test with it. Having installed openssh, we connect to it.
ssh pepe @ test-server
To see the logs, with a tail you solve this problem:
tail -f /var/log/firewall/iptables.log
Iptables, in this example, log everything, day, time, ip, mac, etc, which makes it great for monitoring our servers. A little help that never hurts.
Now, taking note that we use another distro, as I said at the beginning, it is generally used rsyslog, or something similar. If your distro uses syslog, to perform the same exercise we must edit / modify slightly syslog.conf
nano /etc/syslog.conf
Add and save the following line:
kern.warning /var/log/firewall/iptables.log
And then, you know, the happy ending:
/etc/init.d/sysklogd restart
Result: the same.
That's it for now, in future posts, we'll keep playing with iptables.
References:
Force iptables to log to a different file
Log iptables to a separate file with rsyslog
Iptables configuration tutorial on Fedora / RHEL systems
Great this «mini-manual» for BOFH that you are doing little by little
Thanks, little by little I will give details and data of iptables, which I had to know from my work, which sometimes we need and are very poorly explained on the Internet, all by the user ... xD
I take this opportunity to welcome you member 😀
You really have A LOT to contribute, you have really advanced knowledge of networks, systems, firewalls etc, so I will be (I am) one of the many readers you will have hahaha.
Greetings and well ... you know, whatever it takes 😀
I look forward to those items ^^
Come on Koratsuki, I didn't know you frequented this blog.
By the way, another variant of logging firewall activity is using the package ulogd, which is made by the people of the netfilter project to facilitate the separation of this type of traces (allows to save them in different ways). It's the approach I usually use. Using it is easy, for example:
iptables -A INPUT -p udp -m multiport ! --ports 53,67:68 -m state --state NEW -j ULOG --ulog-prefix "Solicitud UDP dudosa"I will have to give an F5 to the post, the Ulogd way of working fits me, even MySQL logs the type: D.
Good post, keep it up.
Hello boss, how's it going?
Could you give me a hand?
Since I do not get the tutorial, and it is clearer than water, I do not know where I am wrong