How to log connections hitting certain rules in iptables on Linux?

By Eric Ma | In QA |

How to log connections hitting certain rules in iptables on Linux? Like the one that are dropped because of too frequently creating SSH connections.

You can create a new chain named LOGNDROP that log the connections and drop them, then pass the connection to be redirected to the LOGNDROP chain.

    $tables -N LOGNDROP
    # Connections to LOGNDROP chain will be logged and dropped
    $tables -A LOGNDROP -j LOG --log-level 6
    $tables -A LOGNDROP -j DROP

As an example, the rules for How to use iptables to limit rates new SSH incoming connections from each IP on Linux can be changed to:

for tables in iptables ip6tables ; do
    # start with a clean table
    $tables -F
    # allow localhost connections
    $tables -A INPUT -p tcp -s localhost -j ACCEPT

    # Allow established inbound connections
    $tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    # Create LOGNDROP chain
    $tables -N LOGNDROP
    # Connections to LOGNDROP chain will be logged and dropped
    $tables -A LOGNDROP -j LOG --log-level 6
    $tables -A LOGNDROP -j DROP
    # Maximum 6 new connections every 60 seconds
    $tables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 6 --name SSH --rsource -j LOGNDROP
    # Record new connections
    $tables -A INPUT -p tcp --dport 22 -m recent --set --name SSH --rsource -j ACCEPT
    # Reject other connections; use only needed
    $tables -A INPUT -j REJECT
    $tables -A FORWARD -j REJECT
done
Read more:

Eric Ma

Eric is a systems guy. Eric is interested in building high-performance and scalable distributed systems and related technologies. The views or opinions expressed here are solely Eric's own and do not necessarily represent those of any third parties.

Leave a Reply

Your email address will not be published. Required fields are marked *