iptables

Logging Dropped Packets in IPTables?


I'm trying to log some dropped packets in iptables from a malicious IP Address that keeps hitting my server.

Everything that comes from this malicious IP is dropped and I don't see it in the web server logs anymore which is a good thing. Using tcpdump, I can see traffic still coming from this IP, and I would like to log the dropped packets in iptables, since I know it's working and they are being dropped.

I have some iptables rules, and I don't know why the logging is not working. I'm sure I'm missing something.

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
**-A INPUT -s 80.82.65.0/24 -j DROP**
-A INPUT -s 167.74.0.0/18 -j DROP
-A INPUT -s 167.87.0.0/16 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j LOGGING
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A LOGGING -s 80.82.65.0/24 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped packets " --log-level 7
$ grep iptables /etc/rsyslog.conf 
kern.debug                      /var/log/iptables.log

Solution

  • The problem with your configuration is that the rule specifying that the packet should be dropped precedes the rule specifying that it should be dealt with in the LOGGING chain, where it would be logged.
    Once iptables matches the packet with the first rule (that of the DROP action), it ceases its search and doesn't reach the other rule.

    I would change the order of the rules and rewrite them as follows:

    iptables -N LOGANDDROP
    iptables -A INPUT -s 80.82.65.0/24 -j LOGANDDROP
    iptables -A LOGANDDROP -m limit --limit 5/min -j LOG --log-prefix "iptables dropped packets " --log-level 7
    iptables -A LOGANDDROP -j DROP
    

    For the sake of completeness, I'll suggest an alternative solution, which doesn't involve creating a new ad hoc chain:

    iptables -A INPUT -s 80.82.65.0/24 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped packets " --log-level 7
    iptables -A INPUT -s 80.82.65.0/24 -j DROP
    

    This approach builds upon the following caveat. As mentioned earlier, iptables default behavior is to look for the first match to the package in hand and once one is found, to halt its search for additional matches. However, there is a single exception to this rule:

    Although this solution is shorter and therefore might seem more attractive at first glance, it's not recommended since it is not as robust. Once there are multiple sources that require the same handling those two configuration lines shall be duplicated for each new source (instead of adding just a single line in the previous solution). Moreover, once that is made, changing the logging details would require changing multiple rules (rather than just a single one in the previous solution).
    I also think that since this solution relies upon the aforementioned caveat, it is not as easy to follow and understand, which is an important factor to take into account when configuring iptables, but that's just my personal opinion.

    Note - refer to this useful link for a concise tutorial on iptables.