# Logging en iptables

## nandelbosc

Buenas tardes,

tengo iptables funcionando perfectamente, pero no me gusta que me guarde el log en dmesg, ya que me lo llena de lineas como las que siguen...

dmesg:

```
Dropped by firewall: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:00:44:31:f1:08:00 SRC=192.168.10.101 DST=192.168.10.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58315 PROTO=UDP SPT=137 DPT=137 LEN=58

Dropped by firewall: IN= OUT=eth0 SRC=192.168.10.1 DST=192.168.10.2 LEN=32924 TOS=0x00 PREC=0x00 TTL=64 ID=6789 PROTO=UDP SPT=2049 DPT=956 LEN=32904

Dropped by firewall: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:00:44:31:f1:08:00 SRC=192.168.10.101 DST=192.168.10.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58333 PROTO=UDP SPT=137 DPT=137 LEN=58

Dropped by firewall: IN= OUT=eth0 SRC=192.168.10.1 DST=192.168.10.2 LEN=32924 TOS=0x00 PREC=0x00 TTL=64 ID=6834 PROTO=UDP SPT=2049 DPT=956 LEN=32904

Dropped by firewall: IN= OUT=eth0 SRC=192.168.10.1 DST=192.168.10.2 LEN=32924 TOS=0x00 PREC=0x00 TTL=64 ID=6909 PROTO=UDP SPT=2049 DPT=956 LEN=32904

Dropped by firewall: IN= OUT=eth0 SRC=192.168.10.1 DST=239.255.255.250 LEN=334 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1901 DPT=1900 LEN=314

Dropped by firewall: IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=239.255.255.250 LEN=334 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1901 DPT=1900 LEN=314

Dropped by firewall: IN=eth0 OUT= MAC= SRC=192.168.10.1 DST=239.255.255.250 LEN=325 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1901 DPT=1900 LEN=305

Dropped by firewall: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:00:44:31:f1:08:00 SRC=192.168.10.101 DST=192.168.10.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58338 PROTO=UDP SPT=137 DPT=137 LEN=58

Dropped by firewall: IN= OUT=eth0 SRC=192.168.10.1 DST=192.168.10.2 LEN=156 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=2049 DPT=956 LEN=136

Dropped by firewall: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:00:44:31:f1:08:00 SRC=192.168.10.101 DST=192.168.10.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58366 PROTO=UDP SPT=137 DPT=137 LEN=58

Dropped by firewall: IN= OUT=eth0 SRC=192.168.10.1 DST=192.168.10.2 LEN=100 TOS=0x10 PREC=0x00 TTL=64 ID=23493 DF PROTO=TCP SPT=22 DPT=60297 WINDOW=81 RES=0x00 ACK PSH URGP=0

Dropped by firewall: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:15:00:44:31:f1:08:00 SRC=192.168.10.101 DST=192.168.10.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58381 PROTO=UDP SPT=137 DPT=137 LEN=58

Dropped by firewall: IN= OUT=eth0 SRC=192.168.10.1 DST=192.168.10.2 LEN=100 TOS=0x10 PREC=0x00 TTL=64 ID=23510 DF PROTO=TCP SPT=22 DPT=60297 WINDOW=81 RES=0x00 ACK PSH URGP=0

Dropped by firewall: IN= OUT=eth0 SRC=192.168.10.1 DST=192.168.10.2 LEN=4252 TOS=0x00 PREC=0x00 TTL=64 ID=7246 PROTO=UDP SPT=2049 DPT=956 LEN=4232
```

Que alternativas de log tengo?

Como las llevo a cabo?

Aquí algo mas de info...

/etc/conf.d/iptables:

```
# /etc/conf.d/iptables

# Location in which iptables initscript will save set rules on

# service shutdown

IPTABLES_SAVE="/var/lib/iptables/rules-save"

# Options to pass to iptables-save and iptables-restore

SAVE_RESTORE_OPTIONS="-c"

# Save state on stopping iptables

SAVE_ON_STOP="yes"
```

/etc/iptables:

```
*filter

:INPUT ACCEPT [5:952]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost

-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# ftp / webserver related

# -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

# -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

# NFS

-A INPUT -p tcp -m state --state NEW -m multiport --dport 111,790,793,2049,4001,32764:32767 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m multiport --dport 111,790,793,2049,4001,32764:32767 -j ACCEPT

# Windows / Samba

-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# up to 5 Bit-torrent connections

-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT

-A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

-A OUTPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

# Reject any packets that do not meet the specified criteria

-A INPUT -p tcp -j REJECT --reject-with tcp-reset

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

# reject everything else

-A INPUT -j REJECT --reject-with icmp-port-unreachable
```

Gracias a tod@s!   :Wink: 

----------

## gringo

hay un módulo para iptables llamado ulog que permite hacer eso y si no, hay scripts por ahí que permiten que especifiques un archivo log para iptables, como este p.ej.

saluetes

----------

## nandelbosc

Parece una opcion, pero al iniciar-lo me da este error:

```
vito linux # ulogd

Tue Oct  9 16:58:13 2007 <3> ulogd.c:309 registering interpreter `raw'

Tue Oct  9 16:58:13 2007 <3> ulogd.c:309 registering interpreter `oob'

Tue Oct  9 16:58:13 2007 <3> ulogd.c:309 registering interpreter `ip'

Tue Oct  9 16:58:13 2007 <3> ulogd.c:309 registering interpreter `tcp'

Tue Oct  9 16:58:13 2007 <3> ulogd.c:309 registering interpreter `icmp'

Tue Oct  9 16:58:13 2007 <3> ulogd.c:309 registering interpreter `udp'

Tue Oct  9 16:58:13 2007 <3> ulogd.c:309 registering interpreter `ahesp'

Tue Oct  9 16:58:13 2007 <5> ulogd.c:364 registering output `syslogemu'

Tue Oct  9 16:58:13 2007 <8> ulogd.c:739 unable to create ipulogd handle

ERROR: Unable to bind netlink socket: No such file or directory
```

NO tengo ULOG compilado dentro del kernel ni como modulo, segun he entendido en la documentación no es necesario... alguien tiene idea?   :Crying or Very sad: 

----------

## gringo

 *Quote:*   

> Unable to bind netlink socket

 

te falta CONFIG_NETLINK_DEV en el kernel, no ?

saluetes

----------

## nandelbosc

 *Quote:*   

> 
> 
> te falta CONFIG_NETLINK_DEV en el kernel, no ?

 

no lo veo en ninguna parte...

```
vito linux # zcat /proc/config.gz | grep -i netlink

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_NETLINK_QUEUE=y

CONFIG_NETFILTER_NETLINK_LOG=y

CONFIG_IP_NF_CONNTRACK_NETLINK=y

CONFIG_NET_WIRELESS_RTNETLINK=y
```

----------

## nandelbosc

Lo he medio solucionado... pero por otro lado.

He decidido dejar de lado ULOGD y centrarme en e logging con scripts. Os lo cuento...

primero añadir  --log-prefix "firewall"

por ejemplo:

```
-A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "firewall"

-A OUTPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "firewall"

```

y en /etc/syslog-ng/syslog-ng.conf:

```
destination iptables { file("/var/log/iptables.log"); };

filter f_iptables { match("firewall"); };

log { source(src); filter(f_iptables); destination(iptables); flags(final); };
```

Esto me crea  el fichero /var/log/iptables.log pero sigue llenando el "dmesg", el objetivo de este post era descongestinar-lo un poco   :Rolling Eyes: 

pensaba que cambiando (en /etc/syslog-ng/syslog-ng.conf):

```
filter f_messages { level(info..warn)

        and not facility(auth, authpriv, mail, news); };
```

por...

```
filter f_messages { level(info..warn)

        and not facility(auth, authpriv, mail, news); };

[b]       and not match("firewall"); };[/b]
```

tendria fuera de dmesg los mensajes de iptables, pero no. ¿Algun consejo?

a falta de poder arreglar esto, me podeis decir exactamente que necesito en el kernel para poder ejecutar ULOGD?

Gracias gringo!   :Razz: 

----------

