linux 开启独立iptables日志

系统日志配置在CentOS5上叫syslog，而在CentOS6上叫rsyslog，叫增强版的syslog，CentOS5上的配置文件在/etc/syslog.conf下，而CentOS6在/etc/rsyslog.conf下

1. 在rsyslog.conf 添加配置

 /etc/rsyslog.conf中添加不同的日志级别（默认warn(=4））

kern.warning     /var/log/iptables.log

kern.debug      /var/log/iptables.log

kern.info       /var/log/iptables.log

不过推荐全部日志都记录：  kern.*     /var/log/iptables.log

重启日志配置： /etc/init.d/rsyslogd restart

2. 让日志滚动，这一步是可选的

 vim /etc/logrotate.d/syslog

加入/var/log/iptables

3. 在iptables添加日志选项 

iptables -A INPUT  -j LOG --log-prefix "iptables"

这样就可以记录所有的记录了，只要通过了防火墙都会记录到日志里

iptables -A INPUT  -p tcp -j LOG --log-prefix "iptables icmp warn"

这样就只记录tcp日志

然后保存并重启防火墙配置

iptables-save

iptables-restart

附一份简单的示例：

[root@server11 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Sun Dec 11 10:41:47 2016
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:2640]
:LOGGING - [0:0]
#-A INPUT -j LOGGING
-A INPUT  -j LOG --log-prefix "iptables"
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT   -m iprange --src-range 10.64.24.11-10.64.24.16 --dst-range 10.64.24.11-10.64.24.16 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 82 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT 
COMMIT
# Completed on Sun Dec 11 10:41:47 2016

How to Log Linux IPTables Firewall Dropped Packets to a Log File

To log both the incoming and outgoing dropped packets, add the following lines at the bottom of your existing iptables firewall rules.

How to read the IPTables Log

The following is a sample of the lines that was logged in the /var/log/messages when an incoming and outgoing packets was dropped.

In the above output:

• IPTables-Dropped: This is the prefix that we used in our logging by specifying –log-prefix option

• IN=em1 This indicates the interface that was used for this incoming packets. This will be empty for outgoing packets

• OUT=em1 This indicates the interface that was used for outgoing packets. This will be empty for incoming packets.

• SRC= The source ip-address from where the packet originated

• DST= The destination ip-address where the packets was sent to

• LEN= Length of the packet

• PROTO= Indicates the protocol (as you see above, the 1st line is for outgoing ICMP protocol, the 2nd line is for incoming TCP protocol)

• SPT= Indicates the source port

• DPT= Indicates the destination port. In the 2nd line above, the destination port is 443. This indicates that the incoming HTTPS packets was dropped