How do I log what's not being accepted by the following rule:
iptables -A OUTPUT -p icmp --icmp-type 3 -m -limit --limit 10/minute -j ACCEPT
And how do I limit what's being logged because I don't want to log 1000s of pings?
My first thought was:
iptables -A OUTPUT -p icmp --icmp-type 3 -m -limit --limit 50/day -j LOG
iptables -A OUTPUT -p icmp --icmp-type 3 -m -limit --limit 10/minute -j ACCEPT
But that doesn't seem right to me.
I think this limits the logging to 50/day but not necessarily what is not being accepted, or am I wrong?
To log what isn't being accepted by a rule, you put the log rule after the accept rule (because chain processing stops when it hits an accept rule). To make sure you're logging things that would be accepted by other rules, you need to put the accept rule you're testing (and the log rule) at the very top of the chain.
The log limit you've got in place is reasonable, although I would usually prefer something specified per-minute, and with a higher-than-default
limit-burst(which is 3).