Enabling logging on iptables is helpful for monitoring traffic coming to our server. This we can also find the number of hits done from any IP. This article will help enable logging in iptables for all packets filtered by iptables.
Enable Iptables LOG
We can simply use following command to enable logging in iptables.
iptables -A INPUT -j LOG
We can also define the source ip or range for which log will be created.
iptables -A INPUT -s 192.168.10.0/24 -j LOG
To define level of LOG generated by iptables us –log-level followed by level number.
iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4
We can also add some prefix in generated Logs, So it will be easy to search for logs in a huge file.
iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'
View Iptables LOG
After enabling iptables logs. check following log files to view logs generated by iptables as per your operating system.
On Ubuntu and Debian
iptables logs are generated by the kernel. So check following kernel log file.
tail -f /var/log/kern.log
On CentOS/RHEL and Fedora
cat /var/log/messages
Change Iptables LOG File Name
To change iptables log file name edit /etc/rsyslog.conf file and add following configuration in file.
vi /etc/syslog.conf
Add the following line
kern.warning /var/log/iptables.log
Now, restart rsyslog service using the following command.
service rsyslog restart
6 Comments
Hi All,
I want to log the NAT translations(source NAT) along with the timestamps, Info I want is:
source IP(unnatted) source port dest IP dest port :: source IP(natted) source port dest IP dest port
Please help me if its possible.
Change :
tailf /var/log/kern.log
by
tail -f /var/log/kern.log
If you have dificulty to log packets with anothers rules, use ‘iptables -I’ instead of ‘-A’, this put your logging rule at top of rules. Netfilter matches others rules and stop processing, but LOG is a non-blocking target, it’s secure to put in first place.
Great post thank you
Not very flexible youre solution.
Better try this
nano /etc/rsyslog.d/iptables.conf
add this:
“:msg,contains,”** SUSPECT **” /var/log/iptables.log
&~
”
without the quotes ofc
then
service rsyslog restart
done
cheers
Thanks for the information here. Just wanted to let you know, there is a type on one line.
vi /etc/syslog.conf
This should be
vi /etc/rsyslog.conf