Iptables change log

iptableslogs

Somehow an iptables rule was added to one of my systems. Does (or can) iptables keep a log about when and (maybe) who made a rule change? If iptables itself can't, is there a wrapper that might do that? I know sudo logs commands, but once someone does "sudo su -", that is the end of that.

Best Answer

No, there is no change log for iptables.

Since only root can run iptables, an administrator who wants to bypass whatever logging you set up also has the power to turn off that logging, so you can only log changes made by cooperating administrators.

If you use iptables-save, use version control on the rules file. Train your fellow administrators to commit changes with a meaningful change message.

If you want the logging to happen automatically, replace the iptables executable by a wrapper script that performs the logging. Here's a quick-and-dirty script that isn't robust with respect to oddball arguments (e.g. containing newlines). If the log file cannot be written, this script displays an error message but proceeds with the iptables call.

#!/bin/sh
( exec >/var/log/iptables.log;
  echo -n "$(date '+%Y:%m:%d %H:%M:%S')" "$(id -run)" iptables
  for x; do echo -n "'$x'"; done )
exec /sbin/iptables.real "$@"
Related Question