administration, linux, security,

iptables to rsyslog

agowa338 agowa338 Dec 17, 2016 · 2 mins read
Share this

Log all dropped connections to syslog 

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -j LOG --log-prefix "iptables: "
iptables -A LOGGING -j DROP

check that this line is in /etc/rsyslog.conf 

$ModLoad imklog

after that create the file /etc/rsyslog.d/01-iptables.conf with the content (use & stop instead of & ~ in newer versions): 

:msg, startswith, "iptables: " -/var/log/iptables.log
& ~
:msg, regex, "^<span class="katex-display"><span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML" display="block"><semantics><mrow><mo>∗</mo><mo stretchy="false">[</mo><mn>0</mn><mo>−</mo><mn>9</mn><mo stretchy="false">]</mo><mo>∗</mo><mover accent="true"><mo stretchy="false">[</mo><mo>˙</mo></mover><mn>0</mn><mo>−</mo><mn>9</mn><mo stretchy="false">]</mo><mo>∗</mo></mrow><annotation encoding="application/x-tex"> *[0-9]*\.[0-9]*</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">∗</span><span class="mopen">[</span><span class="mord">0</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">9</span><span class="mclose">]</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">∗</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:1.2369em;vertical-align:-0.25em;"></span><span class="mord accent"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.9869em;"><span style="top:-3em;"><span class="pstrut" style="height:3em;"></span><span class="mopen">[</span></span><span style="top:-3.319em;"><span class="pstrut" style="height:3em;"></span><span class="accent-body" style="left:-0.1389em;"><span class="mord">˙</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.25em;"><span></span></span></span></span></span><span class="mord">0</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord">9</span><span class="mclose">]</span><span class="mord">∗</span></span></span></span></span> iptables: " -/var/log/iptables.log
& ~
line 1 and 3
are filters and log file locations, if they match the log is written to the specified log file.
line 2 and 4
tell rsyslog "don't process future rules (if the one before matches), it's done for this log entry"

Now the only thing left is to create a log rotation rule. Therefore create the file /etc/logrotate.d/iptables with this content: 

/var/log/iptables.log {
	rotate 7
	daily
	missingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
		iptables-save >> /var/log/iptables.log
	endscript
}

administration iptables linux rsyslogd
agowa338
Written by agowa338
netstat for Powershell
Install a VMWare ESXi 6.0 Hypervisor in a Hyper-V VM