To do this you'd actually be running iptables commands such as this to log inbound tcp connections
iptables -N MYLOGS
iptables -A MYLOGS -j LOG --log-prefix ' INBOUND TCP ' --log-level 4
iptables -A MYLOGS -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -j MYLOGS
Or perhaps something like this to log outbound tcp outbound connections
iptables -N MYLOGS
iptables -A MYLOGS -j LOG --log-prefix ' OUTBOUND TCP ' --log-level 4
iptables -A MYLOGS -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -j MYLOGS
Once you run those commands you're done, iptables does all the rest for you and forwards to syslog!
You could validate syslogging is actually sending the logs by running tcpdump and capturing traffic going outbound to that ip
tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89
Hope that helps make your iptables logging needs simpler.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment