On Fri, Jun 29, 2001 at 08:29:27PM -0400, Brian S. Armstrong wrote:
> Is there any way to get iptables to log the DROP packets to
> /var/log/messages the same way iptables does with the DENY packets?
There isn't a specific switch to turn on logging in iptables.
Instead, you can either insert a matching rule to match the same type
of packet you want to drop, but make the target LOG instead of DROP
(there are options like --log-prefix and --log-level for the LOG
target) like:
iptables -A FORWARD -p tcp --dport 23 \
-j LOG --log-prefix "TELNET "
iptables -A FORWARD -p tcp --dport 23 \
-j DROP
...or set up a chain called something like LOGDROP with the rules:
iptables -N LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "LOGDROP "
iptables -A LOGDROP -j DROP
then any packet that should be dropped and be sent to LOGDROP (-j
LOGDROP) which will log the packet then drop it. So there's no need
for a bunch of duplicate matching rules.
Either way, log messages from the LOG target will go to the 'kern'
syslog facility.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:16:08 EDT