I tried a prerouting rule to redirect incoming packets to a internal virtual IP address.
How can I log an incoming packet before it gets redirected?
iptables -t nat -A PREROUTING -d 46.X.XX.XX -s 78.XX.XX.XX -p tcp --dport 80 --sport 1024: -j DNAT --to-destination 192.168.122.10:8080
The following rules didn't work.
iptables -t nat -A PREROUTING -d 0/0 -s 0/0 -p tcp -j LOG --log-level 4
iptables -t nat -I PREROUTING -d 0/0 -s 0/0 -p tcp -j LOG --log-level 4
You need the logging rule to be at the very beginning of your rules.
# iptables -I INPUT 1 -m limit --limit 5/m -j LOG --log-prefix="iptables: dropped packets" --log-level 4
-I INPUT 1
: This means append the rule to the INPUT chain at 1st place just before anything else.
-m limit
: This tells that we wish to use the limit matching module. Using this we can limit the logging using –limit option.
--limit 5/m
: Here comes the limit option we just talked about. This means we want to limit the maximum average matching rate for logging to 5 per minute. You can also specify 5/second, 40/minute, 1/hour, 3/day like that according to your environment and needs.
-j LOG
: This tells iptables to jump to LOG i.e write to the log file.
-–log-prefix
"iptables: dropped packets" : You can specify any log prefix, which will be appended to the log messages that will be written to the /var/log/messages file
-–log-level 4
: syslog level 4 stands for warning. You can use number from the range 0 through 7. 0 being the highest for emergency and 7 being the lowest for debug.