Agnus Dei (jackal) wrote,
Agnus Dei
jackal

How to log packets from a Source IP using just iptables

Set up rules to match your IP address for logging. In this example the SRC IP we want to log is 10.0.3.19:

iptables -N LOGGINGCHAIN
iptables -A LOGGINGCHAIN -m limit --limit 20/min -j LOG --log-prefix "iptables: logging: " --log-level 7
iptables -A INPUT -s 10.0.3.19/32 -j LOGGINGCHAIN


Note: We did log-level 7 (debug) because log level 6 is info, and most /etc/rsyslog.conf's have *.info go to /var/log/messages and we don't want to spam /var/log/messages with iptables info.

So instead we add something to /etc/rsyslog.d/ for logging these packets:

cat << EOF >  /etc/rsyslog.d/10-iptables.conf
:msg, contains, "iptables:" -/var/log/iptables.log
:msg, contains, "iptables:" ~
EOF

That says anything that contains the string "iptables:" gets written down to /var/log/iptables.log .

Then restart syslog:
service rsyslog restart
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

  • 0 comments