How to log packets dropped by Linux iptables firewall to a log file
This article is part of our ongoing series on Linux iptables. When our iptables rules are not working as expected, we may need to log the packets dropped by iptables for troubleshooting. This article explains how to log incoming and outgoing dropped firewall packets.
If we are new to iptables, please familiarize yourself with the basic concepts of iptables first .
Log all dropped input packets
First, we need to understand how to log all dropped iptables input packets to syslog.
If we already have a bunch of iptables firewall rules, add these to the bottom, this will log all dropped input packets (incoming) to /var/log/messages
$ iptables -N LOGGING
$ iptables -A INPUT -j LOGGING
$ iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$ iptables -A LOGGING -j DROP
In the example above, it does the following:
-
iptables -N LOGGING: Create a new chain called LOGGING -
iptables -A INPUT -j LOGGING: All remaining incoming packets will jump to the LOGGING chain - Line 3: Log incoming packets to syslog (/var/log/messages). This line is explained in detail below.
-
iptables -A LOGGING -j DROP: Finally, all packets that reach the LOGGING chain are dropped. That is, now it actually drops incoming packets.
In line 3 above, it has the following options for logging dropped packets:
- -m limit : This uses the limit matching module. Using it, you can limit logging using the --limit option.
- --limit 2/min : This indicates the maximum average match rate for the log records. In this example, it limits the records to 2 per minute for similar packets. We can also specify 2/second, 2/minute, 2/hour, 2/day. This is helpful when we don't want to confuse the log messages with duplicate messages of the same dropped packets.
- -j LOG : Indicates that the target of this package is LOG, that is, writing to the log file.
- --log-prefix "IPTables-Dropped:" We can specify any log prefix which will be appended to the log messages that will be written to the /var/log/messages file
- --log-level 4 This is the standard system log level. Four is warning. We can use numbers in the range of 0 to 7. 0 is emergency and 7 is debug.
Log all dropped outgoing packets
This is the same as above, but the second line below has OUTPUTinstead of INPUT.
iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
Log all dropped packets (incoming and outgoing)
This is the same as before, but we'll take line 2 from the previous two examples and add it here. That is, we'll have a separate line for INPUTand , which will jump into the LOGGING chain.OUTPUT
To log incoming and outgoing dropped packets, add the following lines at the bottom of your existing iptables firewall rules.
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
Also, as we explained before, by default, iptables will use /var/log/messages to log all messages. If we want to change this to our own custom log file, add the following line to /etc/syslog.conf
kern.warning /var/log/custom.log
How to read iptables logs
The following are examples of lines logged in /var/log/messages when incoming and outgoing packets are dropped .
Aug 4 13:22:40 centos kernel: IPTables-Dropped: IN= OUT=em1 SRC=192.168.1.23 DST=192.168.1.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59228 SEQ=2
Aug 4 13:23:00 centos kernel: IPTables-Dropped: IN=em1 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=192.168.2.115 DST=192.168.1.23 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
In the above output:
- IPTables-Dropped : This is the prefix we use in logging by specifying the --log-prefix option
- IN=em1 This represents the interface used for this incoming packet. For outgoing packets this will be empty
- OUT=em1 This represents the interface used for outgoing packets. For incoming packets this will be empty.
- SRC = source IP address where the packet originated
- DST = the destination IP address to which the packet is sent
- LEN = packet length
- PROTO= indicates the protocol (as shown above, the first line is the outgoing ICMP protocol, and the second line is the incoming TCP protocol)
- SPT= indicates source port
- DPT= stands for destination port. In line 2 above, the destination port is 443. This means that the incoming HTTPS packets are dropped.
For reprinting, please send an email to 1244347461@qq.com for approval. After obtaining the author's consent, kindly include the source as a link.
Related Articles
Restart PostgreSQL in Ubuntu 18.04
Publish Date:2025/04/09 Views:72 Category:PostgreSQL
-
This short article shows how to restart PostgreSQL in Ubuntu. Restart PostgreSQL Server in Ubuntu You can restart Postgres server in Ubuntu using the following command. Order: sudo service postgres restart Sometimes the above command does n
Issues to note when installing Apache on Linux
Publish Date:2025/04/08 Views:78 Category:OPERATING SYSTEM
-
As the most commonly used web server, Apache can be used in most computer operating systems. As a free and open source Unix-like operating system, Linux and Apache are a golden pair. This article will introduce the installation and use of A
How to decompress x.tar.xz format files under Linux
Publish Date:2025/04/08 Views:186 Category:OPERATING SYSTEM
-
A lot of software found today is in the tar.xz format, which is a lossless data compression file format that uses the LZMA compression algorithm. Like gzip and bzip2, it supports multiple file compression, but the convention is not to compr
Summary of vim common commands
Publish Date:2025/04/08 Views:115 Category:OPERATING SYSTEM
-
In Linux, the best editor should be vim. However, the complex commands behind vim's powerful functions also make us daunted. Of course, these commands do not need to be memorized by rote. As long as you practice using vim more, you can reme
Detailed explanation of command return value $? in Linux
Publish Date:2025/04/08 Views:58 Category:OPERATING SYSTEM
-
? is a special variable. This variable represents the return value of the previous command. That is to say, when we run certain commands, these commands will return a code after running. Generally, if the command is successfully run, the re
Common judgment formulas for Linux script shell
Publish Date:2025/04/08 Views:159 Category:OPERATING SYSTEM
-
In shell script programming, predicates are often used. There are two ways to use predicates, one is to use test, and the other is to use []. Let's take a look at how to use these two methods through two simple examples. Example 1 # test –
Shell script programming practice - specify a directory to delete files
Publish Date:2025/04/08 Views:98 Category:OPERATING SYSTEM
-
Usually, in Linux system we need to frequently delete some temporary files or junk files. If we delete them one by one manually, it will be quite troublesome. I have also been learning shell script programming recently, so I tried to write
Use of Linux command at - set time to execute command only once
Publish Date:2025/04/08 Views:158 Category:OPERATING SYSTEM
-
This article mainly involves a knowledge point, which is the atd service. Similar to this service is the crond service. The functions of these two services can be similar to the two functional functions of javascript. Those who have learned
Use of Linux command crontab - loop execution of set commands
Publish Date:2025/04/08 Views:170 Category:OPERATING SYSTEM
-
Compared with at , which executes a command only once, crontab, which we are going to talk about in this article, executes the set commands in a loop. Similarly, the use of crontab requires the support of the crond service. The service is s
