Home / server / Questions / 386140
Accepted
ylluminate
Asked: 2012-05-05 09:41:37 +0800 CST

Increasing `iptables` verbosity and determine logging location on a CentOS based server?

  • 772

Having an odd problem here with regards to pound reverse proxy no longer directing traffic properly on a CentOS based distro (ClearOS 6.2.x).

I believe that it's an iptables issue or something else in that I see nothing to even indicate inbound traffic in my /var/log/messages or /var/log/system.

How can I increase iptables logging verbosity and verify what is going on with it (in terms of certainty as to where the logging data is being kept)?

centos iptables pound clearos

2 Answers

  1. Best Answer

    Below are the general steps I've taken in the past to turn on iptables logging.

    Modify Logging
- sudo vi /etc/syslog.conf
- kern.warning /var/log/iptables.log
 - sudo /sbin/service syslog restart
 - sudo vi /etc/logrotate.d/syslog
- If this file is already there, add /var/log/iptables.log to the first line
- If the file is not there, add it:

    /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/iptables.log {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

    Implement firewall rules
• sudo vi /etc/sysconfig/iptables.script
• sudo chmod 700 /etc/sysconfig/iptables.script
• sudo /etc/sysconfig/iptables.script

    Within my iptables script, I have all of my generic allow rules at the top and then towards the bottom I have some specific logging rules. Below are a few examples.

    # Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "
# Log outbound traffic for anything not equal private ip ranges (this is defined in some previous rules)
/sbin/iptables -A OUTPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Outbound Traffic: "
# Log traffic that doesn't hit a rule above (stuff that may be blocked in the future)
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Potentially Dropped Traffic: "

    There are obviously a ton of things you can do with this. Here is a good link for some generic information.

    • 5

  2. You can use the '-j LOG' target to log the matched packet to your system log. You can also prefix it with any arbitrary string.

    To help in debugging the problem, you can use anetwork sniffer like wireshark or tcpdump. Also, iptables counters can a good source of information on a less busy servers by monitoring the changes of a certain rule.

    You can view the exact counters with iptables -L -nvx.

    • 2