iptables LOG and DROP in one rule

Abhay PS picture Abhay PS · Feb 14, 2014 · Viewed 104.8k times · Source

I am trying to log outgoing connections with iptables. What I want is, drop and accept connection while logging them also. I have found that -j option takes DROP/REJECT/ACCEPT/LOG. But I want to do something like DROP and LOG or ACCEPT and LOG. Is there a way to achieve this ?

Answer

Prevok picture Prevok · Apr 9, 2015

Although already over a year old, I stumbled across this question a couple of times on other Google search and I believe I can improve on the previous answer for the benefit of others.

Short answer is you cannot combine both action in one line, but you can create a chain that does what you want and then call it in a one liner.

Let's create a chain to log and accept:

iptables -N LOG_ACCEPT

And let's populate its rules:

iptables -A LOG_ACCEPT -j LOG --log-prefix "INPUT:ACCEPT:" --log-level 6
iptables -A LOG_ACCEPT -j ACCEPT

Now let's create a chain to log and drop:

iptables -N LOG_DROP

And let's populate its rules:

iptables -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
iptables -A LOG_DROP -j DROP

Now you can do all actions in one go by jumping (-j) to you custom chains instead of the default LOG / ACCEPT / REJECT / DROP:

iptables -A <your_chain_here> <your_conditions_here> -j LOG_ACCEPT
iptables -A <your_chain_here> <your_conditions_here> -j LOG_DROP