Red Hat Knowledgebase

The Red Hat Enterprise Linux firewall, iptables has the capability to log network activity to the syslog system. This is particularly useful in detecting un-welcome or un-invited connections to your Red Hat Enterprise system.

Logging can be enabled by adding a single rule to the firewall using the iptables command.

Lets assume that you have chosen the default firewall configuration using the redhat-config-securitylevel or redhat-config-securitylevel-tui, 'High' setting. That configuration results in an iptables rule set like this:

# iptables -v -L --line-numbers

.........
......... 

Chain RH-Firewall-1-INPUT (2 references)
num   pkts bytes target  prot             opt in     out     source  destination
1     4495  328K ACCEPT  all  --  lo     any     anywhere  anywhere
2       28  1568 ACCEPT  icmp --  any    any     anywhere  anywhere  icmp any
3        0     0 ACCEPT  ipv6-crypt--  any    any     anywhere  anywhere
4        0     0 ACCEPT  ipv6-auth--  any    any     anywhere  anywhere
5      558  330K ACCEPT  all  --  any    any     anywhere  anywhere  state RELATED,ESTABLISHED
6      126 23084 REJECT  all  --  any    any     anywhere  anywhere reject-with icmp-host-prohibited

Firewall rules are checked in a sequential manner (Packets 'traverse' the firewall tables sequentially). As a consequence of the design of this firewall rule set, the best place to add our logging rule is just before the last rule in the Chain RH-Firewall-1-INPUT, line 6. This ensures that any connections that are not ACCEPTed are logged.

To insert a logging rule in the correct place issue this command:

 
# iptables -I RH-Firewall-1-INPUT 6 -m limit --limit \
1/minute -j LOG --log-prefix ' ## IPTABLES LOGGED ## '

The iptables command has the following options:

• -I RH-Firewall-1-INPUT 6 which means 'insert in the RH-Firewall-1-INPUT chain at line number 6' (The rule at line 6 will become line 7 after this command completes).
• -m --limit 1/minute a safety measure to prevent excessive log data from being generated. -m --limit loads a match extension in iptables that allows limits to be placed on packet matching. The limit specified is 1/minute. An additional option --limit-burst has not been specified here, so iptables defaults to a burst rate of 5.
• -j LOG --log-prefix ' ## IPTABLES LOGGED ## 'The log target and options for the target. --log-prefix gives each logged message a prefix that can be used to search for the iptables log entries in the log file.

Additional options are available for the LOG target, one that specifies the level of the log message. This option was not specified, so defaulted to 'warning' level.

To confirm that the log rule is in place view the rule set:

 
# iptables -v -L --line-numbers

.........
......... 

Chain RH-Firewall-1-INPUT (2 references)
num   pkts bytes target  prot opt in     out     source  destination
1     9204  671K ACCEPT  all  --  lo     any     anywhere  anywhere
2       78  4368 ACCEPT  icmp --  any    any     anywhere  anywhere           icmp any
3        0     0 ACCEPT  ipv6-crypt--  any    any     anywhere  anywhere
4        0     0 ACCEPT  ipv6-auth--  any    any     anywhere  anywhere
5     1133  637K ACCEPT  all  --  any    any     anywhere  anywhere state RELATED,ESTABLISHED
6        0     0 LOG     all  --  any    any     anywhere  anywhere  limit: avg 1/min burst 5 
  LOG level warning prefix  ` ## IPTABLES LOGGED ## '
7      250 45718 REJECT  all  --  any    any     anywhere  anywhere  reject-with icmp-host-prohibited

To view the log messages, look at the /var/log/messages file:

 cat /var/log/messages |grep "## IPTABLES LOGGED ##"

Note: To make the new log rule persistent between reboots, it is necessary to save the rule set. Also note that if you use the redhat-config-securitylevel tools, the logging rule will be removed. To save the rules:

 
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]