how to log dropped packet

Florian Boelstler euphoria at arcor.de
Tue Sep 28 13:50:26 CEST 2004


What I usually do is:

---------------------------------------------------------------------
#!/bin/sh

# Some handy variables

IPTABLES=`which iptables`
d_HTTP="http,https"
p_high="1024:65535"
EXT="wlan0"


# DROP & LOG chain

$IPTABLES -N DROPnLOG
$IPTABLES -A DROPnLOG -p ICMP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-ICMP "
$IPTABLES -A DROPnLOG -p TCP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-TCP "
$IPTABLES -A DROPnLOG -p UDP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-UDP "


# Default rule for established connections

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Put several rules to allow outgoing traffic here. E.g. for web sites:

$IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high
-m multiport --destination-ports $d_HTTP -j ACCEPT


# Wipe anything not matching any of the rulesets above

$IPTABLES -A INPUT -j DROPnLOG
$IPTABLES -A FORWARD -j DROPnLOG
$IPTABLES -A OUTPUT -j DROPnLOG

---------------------------------------------------------------------


The script above requires that you're kernel is aware of the ULOG target.
This allows to log iptable's output to another destination (i.e. file)
than syslog.
You will need an appropriate ULOG configuration file.

The output will look like this:
Jan  1 01:00:00 beamstation DROP-UDP  IN= OUT=wlan0 MAC=
SRC=192.168.2.100 DST=192.168.2.255 LEN=268 TOS=00 PREC=0x00 TTL=64 ID=8
DF PROTO=UDP SPT=138 DPT=138 LEN=248


Good luck,

   Florian









More information about the netfilter mailing list