iptables LOG and DROP in one rule

Question

I am trying to log outgoing connections with iptables  What I want is  drop and accept connection while logging them also  I have found that -j option takes DROP REJECT ACCEPT LOG  But I  want to do something like DROP and LOG or ACCEPT and LOG  Is there a way to achieve this

User · Answer

Although already over a year old  I stumbled across this question a couple of times on other Google search and I believe I can improve on the previous answer for the benefit of others   Short answer is you cannot combine both action in one line  but you can create a chain that does what you want and then call it in a one liner   Let s create a chain to log and accept   iptables -N LOG ACCEPT   And let s populate its rules   iptables -A LOG ACCEPT -j LOG --log-prefix  INPUT ACCEPT   --log-level 6 iptables -A LOG ACCEPT -j ACCEPT   Now let s create a chain to log and drop   iptables -N LOG DROP   And let s populate its rules   iptables -A LOG DROP -j LOG --log-prefix  INPUT DROP    --log-level 6 iptables -A LOG DROP -j DROP   Now you can do all actions in one go by jumping  -j  to you custom chains instead of the default LOG   ACCEPT   REJECT   DROP   iptables -A  lt your chain here gt   lt your conditions here gt  -j LOG ACCEPT iptables -A  lt your chain here gt   lt your conditions here gt  -j LOG DROP

User · Answer

At work  I needed to log and block SSLv3 connections on ports 993  IMAPS  and 995  POP3S  using iptables  So  I combined Gert van Dijk s How to take down SSLv3 in your network using iptables firewall   POODLE  with Prevok s answer and came up with this   iptables -N SSLv3 iptables -A SSLv3 -j LOG --log-prefix  SSLv3 Client Hello detected    iptables -A SSLv3 -j DROP iptables -A INPUT     -p tcp    -f -m multiport --dports 993 995     -m state --state ESTABLISHED -m u32 --u32      0 gt  gt 22 amp 0x3C  12 gt  gt 26 amp 0x3C  0  amp  0xFFFFFF00 0x16030000  amp  amp       0 gt  gt 22 amp 0x3C  12 gt  gt 26 amp 0x3C  2  amp  0xFF 0x01  amp  amp       0 gt  gt 22 amp 0x3C  12 gt  gt 26 amp 0x3C  7  amp  0xFFFF 0x0300      -j SSLv3   Explanation   To LOG and DROP  create a custom chain  e g  SSLv3    iptables -N SSLv3 iptables -A SSLv3 -j LOG --log-prefix  SSLv3 Client Hello detected    iptables -A SSLv3 -j DROP  Then  redirect what you want to LOG and DROP to that chain  see -j SSLv3    iptables -A INPUT     -p tcp    -f -m multiport --dports 993 995     -m state --state ESTABLISHED -m u32 --u32      0 gt  gt 22 amp 0x3C  12 gt  gt 26 amp 0x3C  0  amp  0xFFFFFF00 0x16030000  amp  amp       0 gt  gt 22 amp 0x3C  12 gt  gt 26 amp 0x3C  2  amp  0xFF 0x01  amp  amp       0 gt  gt 22 amp 0x3C  12 gt  gt 26 amp 0x3C  7  amp  0xFFFF 0x0300      -j SSLv3    Note  mind the order of the rules  Those rules did not work for me until I put them above this one I had on my firewall script   iptables -A INPUT -m state --state ESTABLISHED RELATED -j ACCEPT

User · Answer

nflog is better  sudo apt-get -y install ulogd2   ICMP Block rule example   iptables  sbin iptables   Drop ICMP  PING   iptables -t mangle -A PREROUTING -p icmp -j NFLOG --nflog-prefix  ICMP Block   iptables -t mangle -A PREROUTING -p icmp -j DROP   And you can search prefix  ICMP Block  in log    var log ulog syslogemu log

User · Answer

for china GFW   sudo iptables -I INPUT -s 173 194 0 0 16 -p tcp --tcp-flags RST RST -j DROP sudo iptables -I INPUT -s 173 194 0 0 16 -p tcp --tcp-flags RST RST -j LOG --log-prefix  drop rst   sudo iptables -I INPUT -s 64 233 0 0 16 -p tcp --tcp-flags RST RST -j DROP sudo iptables -I INPUT -s 64 233 0 0 16 -p tcp --tcp-flags RST RST -j LOG --log-prefix  drop rst   sudo iptables -I INPUT -s 74 125 0 0 16 -p tcp --tcp-flags RST RST -j DROP sudo iptables -I INPUT -s 74 125 0 0 16 -p tcp --tcp-flags RST RST -j LOG --log-prefix  drop rst

User · Answer

Example   iptables -A INPUT -j LOG --log-prefix  INPUT DROP   --log-level 6 iptables -A INPUT -j DROP   Log Exampe   Feb 19 14 18 06 servername kernel  INPUT DROP IN eth1 OUT  MAC aa bb cc dd ee ff 11 22 33 44 55 66 77 88 SRC x x x x DST x x x x LEN 48 TOS 0x00 PREC 0x00 TTL 117 ID x PROTO TCP SPT x DPT x WINDOW x RES 0x00 SYN URGP 0   Other options      LOG        Turn on kernel logging of matching packets   When this option         is set for a rule  the Linux kernel will print some         information  on  all  matching  packets         like most IP header fields  via the kernel log  where it can         be read with dmesg or syslogd 8     This is a  non-terminating         target   i e  rule traversal        continues at the next rule   So if you want to LOG the packets         you refuse  use two separate rules with the same matching         criteria  first using target LOG        then DROP  or REJECT           --log-level level               Level of logging  numeric or see syslog conf 5            --log-prefix prefix               Prefix log messages with the specified prefix  up to 29                letters long  and useful for distinguishing messages in                the logs          --log-tcp-sequence               Log TCP sequence numbers  This is a security risk if the                log is readable by users          --log-tcp-options               Log options from the TCP packet header          --log-ip-options               Log options from the IP packet header          --log-uid               Log the userid of the process which generated the packet

[linux] iptables LOG and DROP in one rule

Examples related to linux

Examples related to security

Examples related to iptables