some iptable logs
opie at 817west.com
Wed Oct 6 02:21:34 CEST 2004
On Tue, 2004-10-05 at 19:57, menonrr at adelphia.net wrote:
> I am a new user of iptables. I implemnted logging on my INPUT, OUTPUT, and FORWARD chains. The result is hundreds of messages like these:
> Entry 1:
> Oct 5 10:12:04 nessusClient kernel: INPUT packets:IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=45019 DF PROTO=TCP SPT=33871 DPT=631 WINDOW=32767 RES=0x00 ACK PSH URGP=0
part of a connection from the local machine to the local machine on the
cupsd port (TCP 631)... your firewall is a print server?
> Entry 2:
> Oct 5 10:12:04 nessusClient kernel: OUTPUT packetsIN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=45619 DF PROTO=TCP SPT=631 DPT=33871 WINDOW=32754 RES=0x00 ACK URGP=0
the reply to the previous packet.
> Entry 3:
> Oct 5 10:50:09 nessusClient kernel: INPUT eth1 Ext:IN=eth1
> OUT= MAC=ff:ff:ff:ff:ff:ff:00:08:74:ce:1a:21:08:00
> SRC=184.108.40.206 DST=255.255.255.255 LEN=68 TOS=0x00
> PREC=0x00 TTL=128 ID=13372 PROTO=UDP SPT=1053 DPT=7100 LEN=48
broadcast packet looking for a font server (xfs)
> My network is NOT a production network. There is very little activity form it. The firewall/gateway communicates to 220.127.116.11 and 172.16.4.0 through interface eth1.
> I have 4 questions:
> 1. How can I limit logging to all packets on eth0 (external) and eth1(internal) to and from 192.168.18.0, 172.16.4.0, and 192.168.1.10/the gatewat itself?
with various combinations of:
you could also employ "-i ! lo" and "-o ! lo" to filter out loopback
traffic (through you really should probably be accepting input/output
packets on lo)
> 2. What is a good log level?
depends where you want the messages to end up: man 5 syslog.conf
6 seems to be a popular choice.
> 3. How can I limit syslog size so that my computer does not crash?
man 8 logrotate
> 4. How can I log the iptables to a different log file?
see answer to #2.
Jason Opperisano <opie at 817west.com>
More information about the netfilter