iptables LOG and DROP in one rule

Question

I am trying to log outgoing connections with iptables. What I want is, drop and accept connection while logging them also. I have found that -j option takes DROP/REJECT/ACCEPT/LOG. But I want to do something like DROP and LOG or ACCEPT and LOG. Is there a way to achieve this ?

Answer 1

I have created a new kernel module "xt_LOGD" to do this in one rule at the time.

This is particular was developed to minimize the number of rules needed to log and drop packets with different log prefixes for each rule.

https://github.com/MuriloChianfa/xtables-log-and-drop

Using this, you can log and drop the packet in same rule:

iptables -A INPUT -p tcp --dport 80 -j LOGD --log-prefix "DROP HTTP PORT"

Insted of

iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "DROP HTTP PORT"
iptables -A INPUT -p tcp --dport 80 -j DROP

This only changes the XT_CONTINUE return constant thats have by default in LOG module by NF DROP in the LOG source code, if you want another target like RESET or ACCEPT you can change this yourself: https://github.com/torvalds/linux/blob/33cc938e65a98f1d29d0a18403dbbee050dcad9a/net/netfilter/xt_LOG.c#L41

Answer 2

Although already over a year old, I stumbled across this question a couple of times on other Google search and I believe I can improve on the previous answer for the benefit of others.

Short answer is you cannot combine both action in one line, but you can create a chain that does what you want and then call it in a one liner.

Let's create a chain to log and accept:

iptables -N LOG_ACCEPT

And let's populate its rules:

iptables -A LOG_ACCEPT -j LOG --log-level 6 --log-prefix "INPUT:ACCEPT: "
iptables -A LOG_ACCEPT -j ACCEPT

Now let's create a chain to log and drop:

iptables -N LOG_DROP

And let's populate its rules:

iptables -A LOG_DROP -j LOG --log-level 6 --log-prefix "INPUT:DROP: "
iptables -A LOG_DROP -j DROP

Now you can do all actions in one go by jumping (-j) to you custom chains instead of the default LOG / ACCEPT / REJECT / DROP:

iptables -A <your_chain_here> <your_conditions_here> -j LOG_ACCEPT
iptables -A <your_chain_here> <your_conditions_here> -j LOG_DROP

Answer 3

At work, I needed to log and block SSLv3 connections on ports 993 (IMAPS) and 995 (POP3S) using iptables. So, I combined Gert van Dijk's How to take down SSLv3 in your network using iptables firewall? (POODLE) with Prevok's answer and came up with this:

iptables -N SSLv3
iptables -A SSLv3 -j LOG --log-prefix "SSLv3 Client Hello detected: "
iptables -A SSLv3 -j DROP
iptables -A INPUT \
  -p tcp \! -f -m multiport --dports 993,995 \
  -m state --state ESTABLISHED -m u32 --u32 \
  "0>>22&0x3C@ 12>>26&0x3C@ 0 & 0xFFFFFF00=0x16030000 && \
   0>>22&0x3C@ 12>>26&0x3C@ 2 & 0xFF=0x01 && \
   0>>22&0x3C@ 12>>26&0x3C@ 7 & 0xFFFF=0x0300" \
  -j SSLv3

Explanation

1. To LOG and DROP, create a custom chain (e.g. SSLv3):

   iptables -N SSLv3
   iptables -A SSLv3 -j LOG --log-prefix "SSLv3 Client Hello detected: "
   iptables -A SSLv3 -j DROP
   

2. Then, redirect what you want to LOG and DROP to that chain (see -j SSLv3):

   iptables -A INPUT \
     -p tcp \! -f -m multiport --dports 993,995 \
     -m state --state ESTABLISHED -m u32 --u32 \
     "0>>22&0x3C@ 12>>26&0x3C@ 0 & 0xFFFFFF00=0x16030000 && \
      0>>22&0x3C@ 12>>26&0x3C@ 2 & 0xFF=0x01 && \
      0>>22&0x3C@ 12>>26&0x3C@ 7 & 0xFFFF=0x0300" \
     -j SSLv3
   

Note: mind the order of the rules. Those rules did not work for me until I put them above this one I had on my firewall script:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Answer 4

nflog is better

sudo apt-get -y install ulogd2

ICMP Block rule example:

iptables=/sbin/iptables
# Drop ICMP (PING)
$iptables -t mangle -A PREROUTING -p icmp -j NFLOG --nflog-prefix 'ICMP Block'
$iptables -t mangle -A PREROUTING -p icmp -j DROP

And you can search prefix "ICMP Block" in log:

/var/log/ulog/syslogemu.log

Answer 5

Example:

iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP

Log Exampe:

Feb 19 14:18:06 servername kernel: INPUT:DROP:IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88 SRC=x.x.x.x DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=x PROTO=TCP SPT=x DPT=x WINDOW=x RES=0x00 SYN URGP=0

Other options:

   LOG
       Turn on kernel logging of matching packets.  When this option 
       is set for a rule, the Linux kernel will print some 
       information  on  all  matching  packets
       (like most IP header fields) via the kernel log (where it can 
       be read with dmesg or syslogd(8)).  This is a "non-terminating 
       target", i.e. rule traversal
       continues at the next rule.  So if you want to LOG the packets 
       you refuse, use two separate rules with the same matching 
       criteria, first using target LOG
       then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

       --log-prefix prefix
              Prefix log messages with the specified prefix; up to 29 
              letters long, and useful for distinguishing messages in 
              the logs.

       --log-tcp-sequence
              Log TCP sequence numbers. This is a security risk if the 
              log is readable by users.

       --log-tcp-options
              Log options from the TCP packet header.

       --log-ip-options
              Log options from the IP packet header.

       --log-uid
              Log the userid of the process which generated the packet.

Answer 6

for china GFW:

sudo iptables -I INPUT -s 173.194.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 173.194.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"

sudo iptables -I INPUT -s 64.233.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 64.233.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"

sudo iptables -I INPUT -s 74.125.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 74.125.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"