Iptables is a powerful firewall tool that is commonly used on Linux systems to control incoming and outgoing network traffic. One of the most important features of iptables is its ability to log network activity, which can be used to troubleshoot issues and monitor security. However, many beginners may find the process of enabling logging in iptables confusing or overwhelming.
Before we begin, it is important to note that iptables logging is only available in kernel 2.4.x and later versions. Also, you need to have root access to your Linux system to perform the steps outlined in this guide.
This guide aims to provide a clear and easy-to-follow introduction to iptables logging for beginners.
Step 1: Check the Current Iptables Rules
Before we begin, it is important to know the current iptables rules that are in place on your system. To do this, enter the following command in the terminal:
sudo iptables -L
This command will show you the current iptables rules, including any rules for logging.
Step 2: Enable Logging in Iptables
To enable logging into iptables, we need to add a new rule to the iptables configuration. This can be done using the following command:
sudo iptables -A INPUT -j LOG
This command adds a new rule that logs all incoming traffic. If you want to log only specific types of traffic, you can use the -p
option to specify the protocol, such as TCP or UDP, and the -s
option to specify the source IP address.
sudo iptables -A INPUT -p TCP -s 192.168.10.0/24 -j LOG
To define the level of LOG generated by iptables use --log-level
followed by the level number.
sudo iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4
We can also add some prefixes in generated Logs, So it will be easy to search for logs in a huge file.
sudo iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'
Step 3: Configure Syslog
By default, iptables logs are sent to the kernel’s message buffer. To view these logs, you need to configure syslog to read the message buffer and write the logs to a file. This can be done by editing the syslog configuration file, typically located at /etc/syslog.conf or /etc/rsyslog.conf.
You will need to add the following line to the syslog configuration file to enable iptables logging:
kern.* /var/log/iptables.log
Step 4: Verify Logging
To verify that logging has been enabled and configured correctly, enter the following command in the terminal:
sudo tail -f /var/log/iptables.log
This command will display the last few lines of the iptables log file and will continue to display new lines as they are added to the file.
You can also use log analyzers like logwatch, and iptables-log-parser to get more insights from the logs.
Step 5: Disable Logging
If you no longer wish to log iptables traffic, you can disable logging by removing the rule that was added in step 2. This can be done using the following command:
sudo iptables -D INPUT -j LOG
Conclusion
Enabling logging in iptables on a Linux system is an important step in monitoring and securing your network. By following the steps outlined in this guide, you should now have a basic understanding of how to enable logging in iptables and how to use logs to troubleshoot issues and improve security. Remember that logging in iptables is just one aspect of network security, and it’s important to keep your system updated, use strong passwords and be aware of other vulnerabilities in your network. Keep in mind that logging is a continuous process and you need to monitor it regularly to keep your system secure.
7 Comments
Rob, ironically funny that you’ve misspelled typo. Yea, it was a typo, however, this did the trick for me, so all’s well that ends well.
Hi All,
I want to log the NAT translations(source NAT) along with the timestamps, Info I want is:
source IP(unnatted) source port dest IP dest port :: source IP(natted) source port dest IP dest port
Please help me if its possible.
Change :
tailf /var/log/kern.log
by
tail -f /var/log/kern.log
If you have dificulty to log packets with anothers rules, use ‘iptables -I’ instead of ‘-A’, this put your logging rule at top of rules. Netfilter matches others rules and stop processing, but LOG is a non-blocking target, it’s secure to put in first place.
Great post thank you
Not very flexible youre solution.
Better try this
nano /etc/rsyslog.d/iptables.conf
add this:
“:msg,contains,”** SUSPECT **” /var/log/iptables.log
&~
”
without the quotes ofc
then
service rsyslog restart
done
cheers
Thanks for the information here. Just wanted to let you know, there is a type on one line.
vi /etc/syslog.conf
This should be
vi /etc/rsyslog.conf