WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: iptables log location?  (Read 571 times)

Offline Adam

  • Full Member
  • ***
  • Posts: 121
iptables log location?
« on: June 12, 2017, 09:39:10 PM »
I was wondering where is the location of iptables log since there is no such "/var/log/messages" log in TCL.
I've generated some traffic and it seems like iptables has blocked the traffic. I would like to see what kind of traffic has been blocked.
Thanks

Quote
tc@box:/var/log$ sudo /usr/local/sbin/basic-firewall
Your basic firewall is now [operational]
Press enter to continue

tc@box:/var/log$

tc@box:/var/log$ sudo iptables --line-numbers -vL
Chain INPUT (policy DROP 150 packets, 41007 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere           
2      164 16608 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
3        0     0 REJECT     tcp  --  any    any     anywhere             anywhere             tcp dpt:auth reject-with tcp-reset

Chain FORWARD (policy DROP 202 packets, 10536 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 129 packets, 27318 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
tc@box:/var/log$

tc@box:/var/log$ ls -lah
total 4
drwxrwxr-x    2 root     staff         80 Jun 13 12:11 ./
drwxrwxr-x    8 root     staff        180 Jul  4  2016 ../
-rw-r--r--    1 root     root           0 Jun 13 12:11 autologin
-rw-rw-r--    1 root     staff       1.9K Jun 13 12:52 wtmp
tc@box:/var/log$

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 9634
Re: iptables log location?
« Reply #1 on: June 13, 2017, 12:12:10 AM »
You need to use the "syslog" boot code to get /var/log/messages

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 9627
Re: iptables log location?
« Reply #2 on: June 13, 2017, 12:27:11 AM »
..and you also need to have a LOG rule set for iptables to log anything.
The only barriers that can stop you are the ones you create yourself.

Offline Adam

  • Full Member
  • ***
  • Posts: 121
Re: iptables log location?
« Reply #3 on: June 13, 2017, 02:36:14 AM »
You need to use the "syslog" boot code to get /var/log/messages

Thanks Juanito,
Do you have the config sample of the boot code with syslog?

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 9634
Re: iptables log location?
« Reply #4 on: June 13, 2017, 05:15:46 AM »
Code: [Select]
menuentry "core" {
linux /boot/vmlinuz quiet text tce=UUID="9b0807fd-1d0c-4c7b-94cd-853923c34e55" waitusb=10:UUID="9b0807fd-1d0c-4c7b-94cd-853923c34e55" noutc syslog
initrd /boot/rootfs.gz /boot/modules.gz
}

Offline Adam

  • Full Member
  • ***
  • Posts: 121
Re: iptables log location?
« Reply #5 on: June 13, 2017, 06:47:26 AM »
Code: [Select]
menuentry "core" {
linux /boot/vmlinuz quiet text tce=UUID="9b0807fd-1d0c-4c7b-94cd-853923c34e55" waitusb=10:UUID="9b0807fd-1d0c-4c7b-94cd-853923c34e55" noutc syslog
initrd /boot/rootfs.gz /boot/modules.gz
}

Thanks Juanito,
Apparently my bootcodes was wrong before. There was no example on http://distro.ibiblio.org/tinycorelinux/faq.html#bootcodes or http://wiki.tinycorelinux.net/wiki:boot_codes_explained, hence I simply copy and paste it at the bottom of /mnt/sda1/boot/grub/menu.lst

BEFORE (WRONG)
Quote
tc@box:/var/log$ cat /mnt/sda1/boot/grub/menu.lst
default 0
timeout 0
kernel /boot/vmlinuz quiet text
initrd /boot/core.gz
tinycore {cron|syslog}
tc@box:/var/log$

AFTER (CORRECT)
Quote
tc@box:/var/log$ cat /mnt/sda1/boot/grub/menu.lst
default 0
timeout 0
kernel /boot/vmlinuz quiet text syslog
initrd /boot/core.gz
tc@box:/var/log$

Now I can see /var/log/messages ... however, I don't see any source or destination IP Address that has been blocked.
Code: [Select]
tc@box:/var/log$ ls -lah messages
-rw-r--r--    1 root     root       54.8K Jun 13 22:36 messages
tc@box:/var/log$

Offline Adam

  • Full Member
  • ***
  • Posts: 121
Re: iptables log location?
« Reply #6 on: June 13, 2017, 07:00:55 AM »
..and you also need to have a LOG rule set for iptables to log anything.
cool  8)

I'm seeing the log now. This is the steps.

Code: [Select]
sudo iptables -N LOGGING
sudo iptables -A FORWARD -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A LOGGING -j DROP

LOG  :)
Quote
user@box:~$ tail -F /var/log/messages | egrep '1.1.1.2|172.16.2.6'
Jun 13 22:57:43 box user.warn kernel: IPTables-Dropped: IN=eth3 OUT=eth2 SRC=1.1.1.2 DST=172.16.2.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=37467 DF PROTO=ICMP TYPE=8 CODE=0 ID=27652 SEQ=0
Jun 13 22:57:58 box user.warn kernel: IPTables-Dropped: IN=eth3 OUT=eth2 SRC=1.1.1.2 DST=172.16.2.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39124 DF PROTO=ICMP TYPE=8 CODE=0 ID=27652 SEQ=15

Reference:
http://www.thegeekstuff.com/2012/08/iptables-log-packets/

Offline Adam

  • Full Member
  • ***
  • Posts: 121
Re: iptables log location?
« Reply #7 on: June 13, 2017, 07:07:17 AM »
..and you also need to have a LOG rule set for iptables to log anything.
cool  8)

I'm seeing the log now. This is the steps.

Code: [Select]
sudo iptables -N LOGGING
sudo iptables -A FORWARD -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A LOGGING -j DROP
Reference:
http://www.thegeekstuff.com/2012/08/iptables-log-packets/

LOG  :)
Quote
user@box:~$ tail -F /var/log/messages | egrep '1.1.1.2|172.16.2.6'
Jun 13 22:57:43 box user.warn kernel: IPTables-Dropped: IN=eth3 OUT=eth2 SRC=1.1.1.2 DST=172.16.2.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=37467 DF PROTO=ICMP TYPE=8 CODE=0 ID=27652 SEQ=0
Jun 13 22:57:58 box user.warn kernel: IPTables-Dropped: IN=eth3 OUT=eth2 SRC=1.1.1.2 DST=172.16.2.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39124 DF PROTO=ICMP TYPE=8 CODE=0 ID=27652 SEQ=15

Quote
tc@box:~$ sudo iptables --line-numbers -vL
Chain INPUT (policy ACCEPT 111 packets, 9899 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      486 41368 LOGGING    all  --  any    any     anywhere             anywhere           

Chain OUTPUT (policy ACCEPT 93 packets, 17968 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain LOGGING (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       22  1920 LOG        all  --  any    any     anywhere             anywhere             limit: avg 2/min burst 5 LOG level warning prefix "IPTables-Dropped: "
2      486 41368 DROP       all  --  any    any     anywhere             anywhere     
     
tc@box:~$
« Last Edit: June 13, 2017, 07:09:46 AM by Adam »