Linux has a sohpisticated firewall built right into the kernel: It’s called iptables! I’m pretty sure you heard about it. You can do realy crazy things with iptables. But here I just want to log how to log+drop a packet in a single rule.

Usually, you would probably do something like that:

iptables -A INPUT -j LOG --log-level warning --log-prefix "INPUT-DROP:"
iptables -A INPUT -j DROP

Works perfectly, but dramatically messes your rules table up.. Especially, if you want to log+drop packets that match a complicated filter. You’ll end up with twice as many table entries as desired..

The trick is to instead create a new rule chain that will log+drop in sequence:

iptables -N LOG_DROP

So here I created a new chain called LOG_DROP. We can now append (-A) two new rules to that chain, which do the actual drop+log:

iptables -A LOG_DROP -j LOG --log-level warning --log-prefix "INPUT-DROP:"
iptables -A LOG_DROP -j DROP

(similar like the first code above, just not for the INPUT chain but for the LOG_DROP chain)

That’s basically it! If you now need to log+drop a packet you can append a new rule to e.g. the INPUT chain that routes the packet to the LOG_DROP chain:

iptables -A INPUT [...filter specification...] -j LOG_DROP

You should consider to limit the number of redundant log entries per time to prevent flooding of your logs.. For more documentation you should consult the manual of iptables(8).


Martin Scharm

stuff. just for the records.


Post a comment

read more about submitting comments