How to enable logging in iptables

firewall

IPtables is a very powerful firewall used in Linux. It is easy to configure and does a great job in keeping the system or a network safe.

As system administrators we configure several services and it will be difficult to configure and troubleshoot services if logs are not enabled.

Enabling logs are pretty easy in iptables. In the below lab setup we will use a CentOS 7 host. Ensure SElinux is disabled and there is not firewalld service installed.

Install IPtables you should install the below two packages using yum:

]# yum install iptables

]# yum install iptables-services

Now start the iptables service.

]# systemctl start iptables

The below command will list the running configuration of iptables

]# iptables -L

The result may look like:

==== ==== ====== ==== ==

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

==== ==== ====== ==== ==

The actual configuration file /etc/sysconfig/iptables will look like this:

========= ========== ==== ==

# Generated by iptables-save v1.4.21 on Tue Jun 6 19:20:22 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

COMMIT
# Completed on Tue Jun 6 19:20:22 2017

========= ========== ==== ==

The below command will allow only ssh access to this host. Everything else will be blocked

]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
]# iptables -A INPUT -j DROP
]# iptables -A OUTPUT -j DROP

Run the command service iptables save” to save the configuration.

Run the following command to see the changes:

]# iptables -L

Now check the configuration file /etc/sysconfig/iptables.

===== ====== ======= ==== ==

# Generated by iptables-save v1.4.21 on Tue Jun 6 20:21:55 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Tue Jun 6 20:21:55 2017

===== ====== ======= ==== ==

Let us start the configuration for logging now. In the above example all requests coming from external hosts other than to tcp port 22 will be blocked. Now we will log all entries coming to the host via port 80 (http), which will also be blocked along with other requests other than ssh (port 22).

Edit the configuration file or run command accordingly:

======= ======== ======

# Generated by iptables-save v1.4.21 on Tue Jun 6 21:16:47 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix “SHIJU-IPT: ”
-A INPUT -j DROP
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Tue Jun 6 21:16:47 2017

======= ======== ======

Now restart iptables for the configuration file to get read.

By default the logs should get entered in /var/log/messages. However, you may have a seperate log file by editing the /etc/rsyslog.conf file, adding the below line and restarting the rsyslogd service:

kern.warning                                                 /var/log/iptables.log

You need to restart syslog service by running the command:

Create the file using the command “touch /var/log/iptables.log”

]# systemctl restart rsyslogd

Now try accessing a port other than 22 from another client host, and check for logs in /var/log/iptables.log.