Logging example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
*filter # Basic policy as "DROP" :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A OUTPUT -d 0.0.0.0/0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # # Accept HTTPS from anywhere. # -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # # Accept SSH from anywhere (not very good). # -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT # # Accept port 8080 only inside. # e.g. From Apache or Nginx to Tomcat on localhost. # -A INPUT -s 127.0.0.1 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT # # Log # -N LOGGING -A INPUT -j LOGGING -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 -A LOGGING -j DROP COMMIT |
CentOS 7 / Ubuntu 14 日本語 / English
iptables のログ出力を設定するConfigure iptables’ logging
1. 設定ファイルの編集1. Edit the config file
1-1. 以下のファイルを編集1-1. Edit a following file
- [CentOS]
/etc/sysconfig/iptables
- [Ubuntu]
/etc/iptables/rules.v4
1.2. 既存の設定に 26 – 32 行目の記述を追加1-2. Add the lines: #26 to #32 of below into existing setting
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
*filter # Basic policy as "DROP" :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A OUTPUT -d 0.0.0.0/0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # # Accept HTTPS from anywhere. # -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # # Accept SSH from anywhere (not very good). # -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT # # Accept port 8080 only inside. # e.g. From Apache or Nginx to Tomcat on localhost. # -A INPUT -s 127.0.0.1 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT # # Log # -N LOGGING -A INPUT -j LOGGING -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 -A LOGGING -j DROP COMMIT |
1-3. サービスを再起動1-3. Restart the service
[CentOS]
1 2 |
sudo restart iptables |
[Ubuntu]
1 2 |
sudo invoke-rc.d iptables-persistent restart |
2. syslog 及び logrotate の設定2. Configure syslog and logrotate
[CentOS]
2-1. /etc/rsyslog.conf
に以下の行を適当な箇所に追加する。2-1. Add following line into /etc/rsyslog.conf
.
1 2 |
kern.debug /var/log/iptables |
2-2. /etc/logrotate.d/iptables
を作成し、以下の内容を記述。2-2. Create /etc/logrotate.d/iptables
with below content.
1 2 3 4 5 6 7 8 |
/var/log/iptables { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } |
2-3. iptables
と rsyslog
のサービスを再起動する。2-3. Restart services of iptables
and rsyslog
.
1 2 3 |
sudo systemctl restart iptables sudo systemctl restart rsyslog |
[Ubuntu]
2-1. /etc/rsyslog.d/50-default.conf
に以下の行を適当な箇所に追加する。2-1. Add the following line to /etc/rsyslog.d/50-default.conf
.
1 2 |
kern.debug -/var/log/iptables |
2-2. /etc/logrotate.d/rsyslogd
をエディタで開いて、/var/log/iptables
を既存の設定に追加。2-2. Open /etc/logrotate.d/rsyslogd
and add /var/log/iptables
into existing settings.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
/var/log/syslog { rotate 7 daily missingok notifempty delaycompress compress postrotate reload rsyslog >/dev/null 2>&1 || true endscript } /var/log/mail.info /var/log/mail.warn /var/log/mail.err /var/log/mail.log /var/log/daemon.log /var/log/kern.log /var/log/auth.log /var/log/user.log /var/log/lpr.log /var/log/cron.log /var/log/debug /var/log/messages /var/log/iptables { rotate 4 weekly missingok notifempty compress delaycompress sharedscripts postrotate reload rsyslog >/dev/null 2>&1 || true endscript } |
2-3. iptables
と rsyslog
のサービスを再起動する。2-3. Restart services of iptables
and rsyslog
.
1 2 3 |
sudo invoke-rc.d iptables-persistent restart sudo service rsyslog restart |
参考References
- How to Log Linux IPTables Firewall Dropped Packets to a Log File
- iptablesでログ出力設定 (Japanese)
- rsyslog – ArchWiki
- RSYSLOG
Related pages