How to log all incoming packets

Julio Fong picture Julio Fong · May 16, 2014 · Viewed 9.9k times · Source

I tried a prerouting rule to redirect incoming packets to a internal virtual IP address.

How can I log an incoming packet before it gets redirected?

iptables -t nat -A PREROUTING -d 46.X.XX.XX -s 78.XX.XX.XX -p tcp --dport 80 --sport 1024: -j DNAT --to-destination 192.168.122.10:8080

The following rules didn't work.

iptables -t nat -A PREROUTING -d 0/0 -s 0/0 -p tcp -j LOG --log-level 4
iptables -t nat -I PREROUTING -d 0/0 -s 0/0 -p tcp -j LOG --log-level 4

Answer

AK_ picture AK_ · May 16, 2014

You need the logging rule to be at the very beginning of your rules.

# iptables -I INPUT 1 -m limit --limit 5/m -j LOG --log-prefix="iptables: dropped packets" --log-level 4

  • -I INPUT 1 : This means append the rule to the INPUT chain at 1st place just before anything else.

  • -m limit : This tells that we wish to use the limit matching module. Using this we can limit the logging using –limit option.

  • --limit 5/m : Here comes the limit option we just talked about. This means we want to limit the maximum average matching rate for logging to 5 per minute. You can also specify 5/second, 40/minute, 1/hour, 3/day like that according to your environment and needs.

  • -j LOG : This tells iptables to jump to LOG i.e write to the log file.

  • -–log-prefix "iptables: dropped packets" : You can specify any log prefix, which will be appended to the log messages that will be written to the /var/log/messages file

  • -–log-level 4 : syslog level 4 stands for warning. You can use number from the range 0 through 7. 0 being the highest for emergency and 7 being the lowest for debug.

src