# [solved] iptables : logging dropped packets

## Jimini

Hi there,

I've got a general question: how to make iptables log all packets, that have been dropped? As far as I know, the default policy can only either be ACCEPT or QUEUE or DROP or RETURN (my script drops all packets that don't match one of my rules).

I tried to append the following rules at the end of my script, but with them, iptables logged _all_ packets.

```
iptables -A INPUT -j LOG --log-prefix "iptables - INPUT: "

iptables -A INPUT -j DROP

iptables -A OUTPUT -j LOG --log-prefix "iptables - OUTPUT: "

iptables -A OUTPUT -j DROP

iptables -A FORWARD -j LOG --log-prefix "iptables - FORWARD: "

iptables -A FORWARD -j DROP
```

All I need is something like a default policy - if a packet is not handled by any of my rules, I want it to be logged and dropped. I'm sure that this is no complicated thing, but I just don't get it.

Best regards,

Jimini

----------

## truc

well, you did it the right way. Strange it doesn't work for you.

Are you sure those rules really appear as the last one of each chain in iptables-save?

----------

## Jimini

I tested my modified script again, but iptables still seems to log everything - yesterday I forgot to comment the new rules out and after 12 hours, I had about 120000 new lines in my logfile.

```
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=212.50.93.30 DST=MY_IP LEN=353 TOS=0x00 PREC=0x00 TTL=115 ID=10540 PROTO=UDP SPT=43198 DPT=51413 LEN=333 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=83.46.166.228 DST=MY_IP LEN=126 TOS=0x00 PREC=0x00 TTL=112 ID=3947 PROTO=UDP SPT=15657 DPT=51413 LEN=106 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=188.20.6.30 DST=MY_IP LEN=95 TOS=0x00 PREC=0x00 TTL=116 ID=42874 PROTO=UDP SPT=53973 DPT=51413 LEN=75 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=58.54.191.252 DST=MY_IP LEN=126 TOS=0x00 PREC=0x00 TTL=114 ID=5769 PROTO=UDP SPT=15990 DPT=51413 LEN=106 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=109.165.231.254 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=116 ID=9127 PROTO=UDP SPT=25763 DPT=51413 LEN=111 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=41.204.136.88 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=23833 PROTO=UDP SPT=17615 DPT=51413 LEN=111 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.169.173.201 DST=MY_IP LEN=134 TOS=0x00 PREC=0x00 TTL=118 ID=4620 PROTO=UDP SPT=51869 DPT=51413 LEN=114 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=98.229.187.247 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=6569 PROTO=UDP SPT=54098 DPT=51413 LEN=111 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=91.65.234.187 DST=MY_IP LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=52143 DF PROTO=TCP SPT=10251 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=91.65.234.187 DST=MY_IP LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=52523 DF PROTO=TCP SPT=10251 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=173.244.214.166 DST=MY_IP LEN=40 TOS=0x00 PREC=0x00 TTL=98 ID=36900 PROTO=TCP SPT=80 DPT=49239 WINDOW=65535 RES=0x00 ACK SYN URGP=0 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=220.173.123.121 DST=MY_IPLEN=126 TOS=0x00 PREC=0x00 TTL=112 ID=45623 PROTO=UDP SPT=13106 DPT=51413 LEN=106 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=67.175.110.73 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=113 ID=12931 PROTO=UDP SPT=32204 DPT=51413 LEN=111 

iptables - FORWARD: IN=eth1 OUT=eth0 SRC=10.0.0.2 DST=94.228.210.41 LEN=263 TOS=0x00 PREC=0x00 TTL=63 ID=41029 DF PROTO=TCP SPT=40930 DPT=2710 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0 

iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=213.67.147.20 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=4534 PROTO=UDP SPT=62803 DPT=51413 LEN=111
```

iptables-save:

```
# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010

*security

:INPUT ACCEPT [159942531:42084578692]

:FORWARD ACCEPT [1400846537:768955115177]

:OUTPUT ACCEPT [234867474:266999892698]

COMMIT

# Completed on Thu Sep 23 08:05:26 2010

# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010

*raw

:PREROUTING ACCEPT [1294660393:689687978973]

:OUTPUT ACCEPT [136441918:170830348724]

COMMIT

# Completed on Thu Sep 23 08:05:26 2010

# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010

*nat

:PREROUTING ACCEPT [15:1392]

:POSTROUTING ACCEPT [2:108]

:OUTPUT ACCEPT [4:276]

-A PREROUTING -i eth0 -p udp -m udp --dport 20534 -j DNAT --to-destination 10.0.0.2:20534 

-A PREROUTING -i eth0 -p tcp -m tcp --dport 20530 -j DNAT --to-destination 10.0.0.2:20530 

-A PREROUTING -i eth0 -p tcp -m tcp --dport 9999 -j DNAT --to-destination 10.0.0.2:9999 

-A PREROUTING -i eth0 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413 

-A PREROUTING -s 10.0.0.0/24 -d 10.0.0.1/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.0.1:10101 

-A PREROUTING -s X.X.8.5/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.0.1:10101 

-A PREROUTING -s X.X.184.67/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.0.1:10101 

-A POSTROUTING -o eth0 -j MASQUERADE 

COMMIT

# Completed on Thu Sep 23 08:05:26 2010

# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010

*mangle

:PREROUTING ACCEPT [603:335223]

:INPUT ACCEPT [89:6923]

:FORWARD ACCEPT [514:328300]

:OUTPUT ACCEPT [47:4903]

:POSTROUTING ACCEPT [542:309317]

COMMIT

# Completed on Thu Sep 23 08:05:26 2010

# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:OUTPUTROP - [0:0]

:fail2ban-SSH - [0:0]

-A INPUT -s X.X.160.30/32 -j DROP 

-A INPUT -s 10.0.0.0/24 -i eth1 -m state --state NEW -j ACCEPT 

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INPUT -s 10.0.0.0/24 -i eth1 -p udp -m udp --dport 631 -m state --state NEW -j ACCEPT 

-A INPUT -i eth1 -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT 

-A INPUT -s 10.0.0.0/24 -i eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 

-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT 

-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT 

-A INPUT -s 10.0.0.0/24 -i eth1 -p tcp -m tcp --dport 5001 -j ACCEPT 

-A INPUT -p tcp -m tcp --dport 6667 -m state --state NEW -j ACCEPT 

-A INPUT -p tcp -m tcp --dport 6668 -m state --state NEW -j ACCEPT 

-A INPUT -p tcp -m tcp --dport 8033 -m state --state NEW -j ACCEPT 

-A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT 

-A INPUT -p tcp -m tcp --dport 3000 -m state --state NEW -j ACCEPT 

-A INPUT -p tcp -m tcp --dport 10101 -m state --state NEW -j ACCEPT 

-A INPUT -s 10.0.0.0/24 ! -i eth1 -j DROP 

-A INPUT -s 127.0.0.1/32 ! -i lo -j DROP 

-A INPUT -s X.X.144.59/32 ! -i eth0 -j DROP 

-A INPUT -s 10.0.0.0/24 ! -i eth1 -j LOG --log-prefix "iptables - SPOOFING eth1: " 

-A INPUT ! -s 10.0.0.0/24 ! -i eth0 -j LOG --log-prefix "iptables - SPOOFING eth0: " 

-A INPUT -j LOG --log-prefix "iptables - INPUT: " --log-level 5 

-A INPUT -j DROP 

-A FORWARD -d X.X.160.30/32 -j DROP 

-A FORWARD -p udp -m udp --dport 20534 -j ACCEPT 

-A FORWARD -p tcp -m tcp --dport 20530 -j ACCEPT 

-A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT 

-A FORWARD -p tcp -m tcp --dport 51413 -j ACCEPT 

-A FORWARD -s 10.0.0.0/24 -i eth1 -o eth0 -m state --state NEW -j ACCEPT 

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A FORWARD -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT 

-A FORWARD -s 10.0.0.0/24 ! -i eth1 -j DROP 

-A FORWARD -s 127.0.0.0/32 ! -i lo -j DROP 

-A FORWARD -s 1.0.0.0/32 ! -i lo -j DROP 

-A FORWARD -s X.X.144.59/32 ! -i eth0 -j DROP 

-A FORWARD -s 10.0.0.0/24 ! -i eth1 -j LOG --log-prefix "iptables - SPOOFING eth1: " 

-A FORWARD ! -s 10.0.0.0/24 ! -i eth0 -j LOG --log-prefix "iptables - SPOOFING eth0: " 

-A FORWARD -j LOG --log-prefix "iptables - FORWARD: " --log-level 5 

-A FORWARD -j DROP 

-A OUTPUT -d X.X.160.30/32 -j DROP 

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A OUTPUT -d 10.0.0.0/24 -o eth1 -p udp -m udp --dport 631 -m state --state NEW -j ACCEPT 

-A OUTPUT -d X.X.186.130/32 -o eth0 -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT 

-A OUTPUT -d 10.0.0.0/24 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 

-A OUTPUT -d X.X.58.13/32 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 

-A OUTPUT -d X.X.100.175/32 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 

-A OUTPUT -d X.X.91.35/32 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 

-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT 

-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT 

-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT 

-A OUTPUT -d 10.0.0.0/24 -o eth1 -p tcp -m tcp --dport 5001 -j ACCEPT 

-A OUTPUT -p tcp -m tcp --dport 6667 -m state --state NEW -j ACCEPT 

-A OUTPUT -p tcp -m tcp --dport 6668 -m state --state NEW -j ACCEPT 

-A OUTPUT -o lo -p tcp -m tcp --dport 3306 -j ACCEPT 

-A OUTPUT -d X.X.249.201/32 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT 

-A OUTPUT -d X.X.249.102/32 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT 

-A OUTPUT -d X.X.10.46/32 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT 

-A OUTPUT -d X.X.34.228/32 -o eth0 -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT 

-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT 

-A OUTPUT -d 10.0.0.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 

-A OUTPUT -j LOG --log-prefix "iptables - OUTPUT: " --log-level 5 

-A OUTPUT -j DROP 

COMMIT

# Completed on Thu Sep 23 08:05:26 2010
```

I hope this output helps you.

Best regards,

Jimini

----------

## truc

 *Jimini wrote:*   

> 
> 
> ```
> iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=212.50.93.30 DST=MY_IP LEN=353 TOS=0x00 PREC=0x00 TTL=115 ID=10540 PROTO=UDP SPT=43198 DPT=51413 LEN=333 
> 
> ...

 

This doesn't look like like “all traffic” to me, Check if this is legitimate traffic or not, it's UDP only it seems, so may be something like skype?

----------

## Jimini

```
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=212.50.93.30 DST=MY_IP LEN=353 TOS=0x00 PREC=0x00 TTL=115 ID=10540 PROTO=UDP SPT=43198 DPT=51413 LEN=333
```

Bittorrent

```
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=83.46.166.228 DST=MY_IP LEN=126 TOS=0x00 ...
```

Can't figure out what this is.

```
iptables - FORWARD: IN=eth1 OUT=eth0 SRC=10.0.0.2 DST=94.228.210.41 LEN=263 TOS=0x00 PREC=0x00 TTL=63 ID=41029 DF PROTO=TCP SPT=40930 DPT=2710 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0 
```

I assume this is my edonkey-client.

```
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=213.67.147.20 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=4534 PROTO=UDP SPT=62803 DPT=51413 LEN=111
```

Bittorrent

The lines from my log I quoted above were just an example. Most of them only show (wanted) traffic from or to 10.0.0.2:51413.

Best regards,

Jimini

----------

## truc

 *Jimini wrote:*   

> 
> 
> ```
> iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=213.67.147.20 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=4534 PROTO=UDP SPT=62803 DPT=51413 LEN=111
> ```
> ...

 

From what I can see, the log only shows DROP traffic even if this is wanted traffic. If I take this UDP traffic to the DPT 51413 I don't see it ACCEPTed anywhere in the INPUT chain, but I do see some TCP rules for this port  :Wink:  (PREROUTING & FORWARD)

----------

## Jimini

These are the rules for Bittorrent:

```
iptables -I FORWARD -p tcp --dport 51413 -j ACCEPT

iptables -t nat -I PREROUTING -i $wan -p tcp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413
```

But as far as I know, I don't need an INPUT-rule for this traffic, because the client can connect without any problems. Or am I misunderstanding you?

Best regards,

Jimini

----------

## Hu

You misunderstand truc.  The point was that the traffic you say is being improperly logged is UDP, but your rules only match TCP for those ports.  Thus, truc stated that the traffic being logged is not matched by any of your rules and it is proper that it is being logged.  Your posts indicate that it is not your intention to log this, and presumably also not your intention to DROP it, but the rules you have shown do log it and do drop it.

----------

## Jimini

Ah, now I got it. That explains why my syslog got more than one new entry per second. I corrected my script and now it seems to work as it is supposed to, great! Sincere thanks to you two.

Best regards,

Jimini

----------

