{SOLVED] How can iptables log what it blocks in a TC gateway

[Ulysses_]

Starting with TC's CD and installing the iptables extension. What should be added to /opt/bootlocal.sh in order for iptables to log everything that it blocks? 

TC is set up fine as a whitelisting gateway with these in /opt/bootlocal:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -p tcp -j DROP
iptables -I FORWARD -p tcp -d 1.1.1.1 -j ACCEPT
iptables -I FORWARD -p tcp -s 1.1.1.1 -j ACCEPT
syslogd

1.1.1.1 is the only IP allowed to connect to/from through this gateway. Everything else is blocked and must be logged. How do you get iptables to log what it blocks above?

[Ulysses_]

If this is of any use, syslogd is known to be running alright - dnsmasq.tcz can run while logging to /var/log/messages.

What else is needed?  Tried the following line after the DROP line but nothing appeared at /var/log/messages:

iptables -I FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

[curaga]

It should be ok. Perhaps the limit interferes, or some other rule. When you list the rules (iptables -L -v -n), does the log target counter get hits?

[Ulysses_]

Every time I type "iptables -L -v -n" the output changes by only the INPUT line, that line shows more packets and bytes.  No change in the LOG line.  Is this what you mean?

[curaga]

Yes. That means there's nothing to be logged; either no such hits, or they are dropped before logging.

[Ulysses_]

Here's the complete output of iptables -L -v -n.  Is it saying that something should appear in /var/log/messages?

[Ulysses_]

When the LOG line starts with 2 20, doesn't that mean that 2 packets or 120 bytes were logged? Logged before iptables -L -v -n was run, some time when the gateway was being used by another pc?

[curaga]

There should've been two lines logged. The byte count is irrelevant to logging.

The counts don't get zeroed by listing them, there's another iptables flag for that.

edit: I tried your log rule, it worked fine for me, got the right output in /var/log/messages.

[Ulysses_]

Did you get it working in FORWARD ie in a gateway?

Was it the TC 3.8.4 it worked on?

Did you put any options in the syslogd command when you launched it?

[curaga]

TC 4.0.2, clean rules table, and in the output chain for easy testing. I used the syslog bootcode.

edit: Ah, I see now. You're not running klogd, and iptables logs go there.

[Ulysses_]

Sorted. It was klogd that had to be running.

So the syslog bootcode activates klogd too, together with syslogd and who knows what else.

Using the logs a script has now been completed that turns a gateway into a whitelisting firewall where the rules are either domain-name-based or IP-based.

[curaga]

tc-config:

if [ -n "$SYSLOG" ]; then
         /sbin/syslogd && echo "${GREEN}syslog started.${NORMAL}"
         /sbin/klogd && echo "${GREEN}klog started."
fi