Want to log dropped packets in your firewall but not hate your console/dmesg/syslog? How about this little trick.
First, configure your firewall, perhaps as below. See the ‘log-level 7’? Later we do dmesg -n6 (meaning the max level logged to console is 6). We then add a rule to rsyslog to route [TIMESTAMP] fwdrop: to a different file, and then set it to rotate.
## cat /etc/rc.local
#!/bin/sh
modprobe nf_conntrack_ipv6
set -x
for fw in iptables ip6tables
do
$fw -P INPUT DROP
$fw -P FORWARD DROP
$fw -P OUTPUT ACCEPT
$fw -A INPUT -i lo -j ACCEPT
$fw -A OUTPUT -o lo -j ACCEPT
$fw -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$fw -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
if [ $fw = "ip6tables" ]
then
$fw -A INPUT -p ipv6-icmp -j ACCEPT
fi
$fw -N LOGGING
$fw -A INPUT -j LOGGING
$fw -A LOGGING -m limit --limit 10/min -j LOG --log-prefix "fwdrop: " --log-level 7
$fw -A LOGGING -j DROP
done
# don't console-log fwdrop
dmesg -n6
## cat /etc/rsyslog.d/iptables.conf
:msg, regex, "^ *\[[0-9]*\.[0-9]*\] fwdrop: " -/var/log/iptables.log
& stop
## cat /etc/logrotate.d/iptables
/var/log/iptables.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
Leave a Reply