Tuesday, 21 June 2016

Logging dropped iptables traffic

Generally speaking it is good practice to log dropped traffic on your firewall - this can be achieved pretty easily with iptables.

Firstly create a new chain called 'logging':

iptables -N LOGGING

and then instruct the input chain to send any unmatched packets to the 'logging' chain:

iptables -A INPUT -j LOGGING

and we can also do the same for FORWARD traffic:

iptables -A FORWARD -j LOGGING

** Make sure that there are no catch-all drop rules in the input chain as this will prevent the unmatched packets from being dropped (they will be dropped when they are evaluated in the logging chain.) **

We then define rate-limiting to prevent a build-up of logs and define a prefix / log level for the logs:

iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

Finally we apply the drop-all rule to our 'logging' chain:

iptables -A LOGGING -j DROP

0 comments:

Post a comment