netfilter Operation: Part Seven

netfilter operationBy this point, you should have a relatively solid grasp of how to configure a Linux firewall. So far we have covered all of the core commands to permit and deny the traffic. Another useful command for your Linux firewall deals with logging packets. If you want to log everything passing through the firewall, use the iptables -A FORWARD -j LOG command. While simple, this would likely generate an excessive amount of logging traffic. You also might want some additional control of how the logging occurs. There are some additional options to provide this functionality. Of particular note are the –log-level and –log-prefix options.

The –log-level option allows you to specify what logging level is used for the LOG rule, The effect this log level has depends on how you have your kernel logging configured (via syslog or syslog-ng). When you combine the custom logging level of iptables with the syslog configuration, you can have syslog act in any manner of ways based on the firewall logs, including sending e-mails for certain events. The –log-prefix option allows you to insert up to a 29-letter string in front of the log entry. This can be useful for troubleshooting purposes. Some examples of information you could place in log prefix would be the name of the chain that generated the log entry such as iptables -A FORWARD -j LOG –log “from FORWARD chain.”

Saving and Restoring a Ruleset

Now that you can create a working ruleset for netfilter, you will want to save it. There are two commands of note: one for saving the configurations and one for loading a save configuration. You can use the iptables-save command to generate output that is the current active ruleset. By default, it will only generate the output to the stdout, meaning it will display in the console. To save this output, redirect it to a file. To redirect the current ruleset to a file called /etc/ruleset, you would type iptables-save > /etc/ruleset. If you want to save the current packet counts and rule counts, use the iptables-save -c > /etc/ruleset command. Individual tables can be saved separately by specifying the -t option using the iptables-save -t mangle > /etc/ruleset command.

Restoring a ruleset is accomplished using the iptables-restore command. Like iptables-save, the restore function takes only two optional arguments. The -c option will cause iptables to load the saved packet and byte counts, overwriting the current count values. The default behavior when using iptables-restore is to flush the ruleset before loading the saved ruleset, thus all previous rules are lost. If you wish to override this behavior, you can use the -n option, in which case the fules will be added to the existing ruleset, and will only overwrite if there is a duplicate rule. You can use the iptables-restore < /etc/ruleset command to pipe the saved configuration to iptables-restore.

External Links:

How to Log Linux iptables Firewall Dropped Packets to a Log File at The Geek Stuff

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy