IPtables logging firewall blocks

Basically we’ll set up another chain for it to be forwarded to, filter the packets to move them to the chain, then a logging command created to log if packets end up in that chain.

Enabling logging

We’ll need to know where to put the filter for the redirection:

$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
10 DROP all -- anywhere anywhere

In this example, use line 9 on the second command.

Create the rules:

$ sudo iptables --new-chain LOGGING
$ sudo iptables -I INPUT 9 -j LOGGING
$ sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$ sudo iptables -A LOGGING -j DROP

Basically create the new chain, then redirect packets. Add a rule to the logging chain, then drop the packets to be sure.

Reverting/Disabling the changes

To undo it, check the line of the redirect (because you may have made changes):

$ sudo iptables -L --line-numbers | egrep "(Chain|LOGG)"
Chain INPUT (policy ACCEPT)
9 LOGGING all -- anywhere anywhere

Remove the rule:

$ sudo iptables -D INPUT 9

Delete any rules on the LOGGING chain:

$ sudo iptables -D LOGGING 2
$ sudo iptables -D LOGGING 1

Delete the chain:

$ sudo iptables --delete-chain LOGGING

Relevant links (where I got the main part of the info from:

#Firewalls #HOWTO #iptables #Linux