Taming the chatty firewall log

Want to log dropped packets in your firewall but not hate your console/dmesg/syslog? How about this little trick.

First, configure your firewall, perhaps as below. See the ‘log-level 7’? Later we do dmesg -n6 (meaning the max level logged to console is 6). We then add a rule to rsyslog to route [TIMESTAMP] fwdrop: to a different file, and then set it to rotate.

## cat /etc/rc.local
#!/bin/sh

modprobe nf_conntrack_ipv6

set -x

for fw in iptables ip6tables
do

    $fw -P INPUT DROP
    $fw -P FORWARD DROP
    $fw -P OUTPUT ACCEPT

    $fw -A INPUT -i lo -j ACCEPT
    $fw -A OUTPUT -o lo -j ACCEPT

    $fw -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    $fw -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

    if [ $fw = "ip6tables" ]
    then
        $fw -A INPUT -p ipv6-icmp -j ACCEPT
    fi

    $fw -N LOGGING
    $fw -A INPUT -j LOGGING
    $fw -A LOGGING -m limit --limit 10/min -j LOG --log-prefix "fwdrop: " --log-level 7
    $fw -A LOGGING -j DROP
done

# don't console-log fwdrop
dmesg -n6

## cat /etc/rsyslog.d/iptables.conf
:msg, regex, "^ *\[[0-9]*\.[0-9]*\] fwdrop: "  -/var/log/iptables.log
& stop

## cat /etc/logrotate.d/iptables 
/var/log/iptables.log
{
	rotate 7
	daily
	missingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
	endscript
}



Posted

in

by

Tags:

Comments

2 Responses to “Taming the chatty firewall log”

  1. Varun

    Nice. You would want to replace your “& ~” with “& stop”. The tilde syntax is deprecated with rsyslog v7: https://www.rsyslog.com/rsyslog-error-2307/. Also a ‘size’ attribute so that the log does not grow too big. Something like “size 5M”.

  2. db

    Thanks!
    yeah i knew that, but, old habits…

Leave a Reply

Your email address will not be published. Required fields are marked *