Iptables log file

iptableslogs

I have ubuntu and I want to know where can I find the log file of iptables?
I find out /var/log/messages, but I am not sure this is a correct log file or not.

And I also want to know when this log file is changed? I add one rule to prevent my machine to respond to ping message but when I ping my machine I didn't see any changes to /var/log/messages

Best Answer

Because it can easily fill up your logs, the default is to not log. Add a jump to the LOG target, which will log to the kernel log (which you can see with dmesg or at wherever syslog is configured to write that for your distro). In your LOG-target rule, you can set --log-level and --log-prefix to help organize the messages and keep them separate from other kernel messages.

LOG is a "non-terminating target", so rule traversal will continue on to the next rule — you can basically add logging right above your existing rules without affecting them.

Related Solutions

Rsyslog rule inconsistently applied

From the output you've given it looks like the python script is not sending all the pieces of the syslog message that rsyslog is expecting. It appears as if the "{FILTER}" part is where the host and app name should be. You can pretty easily prove this by running rsyslogd with the -d flag then sending the message from python and then from logger. You'll see the raw message as it comes from the socket that way and I bet you'll see that logger is sending more fields in front of the "{FILTER}" part.

Debian – incoming ACCEPT all iptables rule still appearing

The line you are worried about:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere

is actually because of this in your rules:

-A INPUT -i lo -j ACCEPT

Notice the interface is explicit in the rule, but not in the -L output. Move that rule to the middle of the list, use iptables-restore and notice the "ACCEPT all -- anywhere" has moved down too. Now try changing the rule a bit:

-A INPUT -i lo -s 127.0.0.1 -j ACCEPT

and the -L output will become:

target     prot opt source                 destination  
ACCEPT     all  --  localhost.localdomain  anywhere

"localhost.localdomain" will be your 127.0.0.1 hostname from /etc/hosts. This at least makes it clearer where that rule came from.

You can also see more detailed information including the interfaces with iptables -vL.

BTW, you may want to start your rules:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

Drop everything by default as a fall through for safety. This is considered bad manners, however (see the link in Gilles comment below), so you may want to create a final catch all for each table which uses -j REJECT --reject-with icmp-net-prohibited.

Best Answer

Related Solutions

Rsyslog rule inconsistently applied

Debian – incoming ACCEPT all iptables rule still appearing

Related Question