Recipe 2.23 Logging Simplified

2.23.1 Problem

You want your firewall to log and drop certain packets.

2.23.2 Solution

For iptables, create a new rule chain that logs and drops in sequence:

# iptables -N LOG_DROP
# iptables -A LOG_DROP -j LOG --log-level warning --log-prefix "dropped" -m limit
# iptables -A LOG_DROP -j DROP

Then use it as a target in any relevant rules:

# iptables ...specification... -j LOG_DROP

For ipchains:

# ipchains ...specification... -l -j DROP

2.23.3 Discussion

iptables's LOG target causes the kernel to log packets that match your given specification. The —log-level option sets the syslog level [Recipe 9.27] for these log messages and —log-prefix adds an identifiable string to the log entries. The further options —log-prefix, —log-tcp-sequence, —log-tcp-options, and —log-ip-options affect the information written to the log; see iptables(8).

LOG is usually combined with the limit module (-m limit) to limit the number of redundant log entries made per time period, to prevent flooding your logs. You can accept the defaults (3 per hour, in bursts of at most 5 entries) or tailor them with —limit and —limit-burst, respectively.

ipchains has much simpler logging: just add the -l option to the relevant rules.

2.23.4 See Also

iptables(8), ipchains(8).