I'm trying to find a way to record the entire contents of packets (possibly with tcpdump) that have been dropped according to rules in iptables.
At present, I have a rule to log these packets (with a log prefix), then follow this with a rule to drop them.
Is there a way to record the contents of those packets for review afterwards?
So, I'm looking for this:
- A rule that logs the matching packet
- A rule that passes the packet to a new target that records its contents (maybe QUEUE target?)
- A rule that drops the packet
2 & 3 may even be combined.
My understanding is that tcpdump may not be able to do this as it examines packets before iptables and therefore will not record just the dropped packets.
Thanks.
Best Answer
The NFLOG target can be used for this purpose. Here is a very basic example:
Refer to the
iptables-extensions
manual page for a description of theNFLOG
target.