How to record logs of droiptables firewall DroppedPackets

Recently, VPS has suffered a lot from spam comments, and its IP addresses are from Putian, Fujian province, and they are constantly accessing one or two URLs! The following is a section of the script that shields an IP list. The Complete script is Google. IptablesSPAMLISTblockedipSPAMDROPMSGBLOCKEDIPDROP: [-f/root/scripts/blocke

Recently, VPS has suffered a lot from spam comments, and its IP addresses are from Putian, Fujian province, and they are constantly accessing one or two URLs!

The following is a section of the script that shields an IP list. The Complete script is Google.

IPT = "/sbin/ Iptables"
SPAMLIST = "blockedip"
SPAMDROPMSG = "blocked ip drop :"
[-F/root/scripts/blocked.ips.txt] & BADIPS =$ (egrep-v-E "^ # | ^ $"/root/scripts/blocked.ips.txt)
PUB_IF = "eth0"
If [-f/root/scripts/blocked.ips.txt];
Then
# Create a new iptables list
$ Ipt-n $ SPAMLIST
For ipblock in $ BADIPS
Do
$ IPT-A $ SPAMLIST-s $ ipblock-j LOG -- log-prefix "$ SPAMDROPMSG"
$ Ip-a $ SPAMLIST-s $ ipblock-j DROP
Done
$ Ipt-i INPUT-j $ SPAMLIST
$ Ipt-i OUTPUT-j $ SPAMLIST
$ Ipt-i FORWARD-j $ SPAMLIST
Fi

This article is part of our ongoing Linux IPTables series ofarticles. when things are not working as expected with yourIPTables rules, you might want to log the IPTables dropped packetsfor troubleshooting purpose. this article explains how to log bothincoming and outgoing dropped firewal packets.

If you are new to IPTables, first get yourself comfortable withthe IPTables fundamental concepts.

Log All Dropped Input Packets

First we need to understand how to log all the dropped inputpackets of iptables to syslog.

If you already have whole bunch of iptables firewall rules, addthese at the bottom, which will log all the dropped input packets (incoming) to the/var/log/messages

Iptables-N LOGGING
Iptables-a input-j LOGGING
Iptables-a logging-m limit -- limit 2/min-j LOG -- log-prefix "IPTables-Dropped:" -- log-level 4
Iptables-a logging-j DROP

In the above example, it does the following:

Iptables-n logging: Create a new chain called LOGGING

Iptables-a input-j LOGGING: All the remaining incoming packetswill jump to the LOGGING chain

Line #3: Log the incoming packets to syslog (/var/log/messages). This line is explained below in detail.

Iptables-a logging-j DROP: Finally, drop all the packets thatcame to the LOGGING chain. I. e now it really drops the incomingpackets.

In the line #3 above, it has the following options for loggingthe dropped packets:

-M limit: This uses the limit matching module. Using this youcan limit the logging using? Limit option.

? Limit 2/min: This indicates the maximum average matching ratefor logging. in this example, for the similar packets it will limitlogging to 2 per minute. you can also specify 2/second, 2/minute, 2/hour, 2/day. this is helpful when you don't want to clutter yourlog messages with repeated messages of the same droppedpackets.

-J LOG: This indicates that the target for this packet is LOG. I. e write to the log file.

? Log-prefix "IPTables-Dropped:" You can specify any log prefix, which will be appended to the log messages that will be written tothe/var/log/messages file

? Log-level 4 This is the standard syslog levels. 4 is warning. You can use number from the range 0 through 7. 0 is emergency and 7is debug.

Log All Dropped Outgoing Packets

This is same as abve, but the 2nd line below has OUTPUT insteadof INPUT.

Iptables-N LOGGING
Iptables-a output-j LOGGING
Iptables-a logging-m limit -- limit 2/min-j LOG -- log-prefix "IPTables-Dropped:" -- log-level 4
Iptables-a logging-j DROP

Log All Dropped Packets (both Incoming andOutgoing)

This is same as before, but we'll be taking the line number 2 from the previous two examples, and adding it here. i. e We'll havea separate line for INPUT and OUTPUT which will jump to LOGGINGchain.

To log both the incoming and outgoing dropped packets, add thefollowing lines at the bottom of your existing iptables firewallrules.

Iptables-N LOGGING
Iptables-a input-j LOGGING
Iptables-a output-j LOGGING
Iptables-a logging-m limit -- limit 2/min-j LOG -- log-prefix "IPTables-Dropped:" -- log-level 4
Iptables-a logging-j DROP

Also, as we explained earlier, by default, the iptables will use/var/log/messages to log all the message. if you want to changethis to your own custom log file add the following line to/etc/syslog. conf

Kern. warning/var/log/custom. log

How to read the IPTables Log

The following is a sample of the lines that was logged in the/var/log/messages when an incoming and outgoing packets wasdropped.

Aug 4 13:22:40 CentosKernel: IPTables-Dropped: IN = OUT = em1 SRC = 192.168.1.23 DST = 192.168.1.20 LEN = 84 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 0 df proto = icmp type = 8 CODE = 0 ID = 59228 SEQ = 2
Aug 4 13:23:00 centos kernel: IPTables-Dropped: IN = em1 OUT = MAC = a2: be: d2: AB: 11: af: e2: f2: 00: 00 SRC = 192.168.2.115 DST = 192.168.1.23 LEN = 52 TOS = 0x00 PREC = 0x00 TTL = 127 ID = 9434 df proto = tcp spt = 58428 DPT = 443 WINDOW = 8192 RES = 0x00 syn urgp = 0

In the above output:

IPTables-Dropped: This is the prefix that we used in our loggingby specifying? Log-prefix option

IN = em1 This indicates the interface that was used for thisincoming packets. This will be empty for outgoing packets

OUT = em1 This indicates the interface that was used for outgoingpackets. This will be empty for incoming packets.

SRC = The source ip-address from where the packet originated

DST = The destination ip-address where the packets was sentto

LEN = Length of the packet

PROTO = Indicates the protocol (as you see above, the 1st line isfor outgoing ICMP protocol, the 2nd line is for incoming TCPprotocol)

SPT = Indicates the source port

DPT = Indicates the destination port. In the 2nd line above, thedestination port is 443. This indicates that the incoming HTTPSpackets was dropped