1. Introduction

iptables is a firewall that’s included in most Linux distributions. It’s a powerful tool that can be used to block unwanted traffic and secure a Linux system. One of the key features of iptables is its ability to log packets that match a certain rule. This can be useful for debugging purposes, but it can also cause the system log to become cluttered with iptables logs. 

In this tutorial, we’ll discuss how to write iptables logs to a separate file, so they don’t interfere with other log messages.

2. Writing iptables Logs

The first step in writing iptables logs to a separate file is to create a file for the logs. We’ll create a file called /var/log/iptables.log:

$ sudo touch /var/log/iptables.log

Next, we’ll modify the iptables rules to include logging. We’ll add the -j LOG option to the end of the rule. This causes iptables to log packets that match the rule:

$ iptables -A INPUT -p tcp --dport 22 -j LOG

Finally, we need to configure syslog to write iptables logs to the separate log file we created in the first step. This is done by adding the following line to the syslog configuration file (usually located at /etc/syslog.conf or /etc/rsyslog.conf):

kern.* /var/log/iptables.log

After adding this line, we’ll need to restart the syslog service for the changes to take effect. The command to restart the syslog service varies depending on the distribution we’re using. On Debian-based systems (such as Ubuntu), we can use the following command:

$ sudo service rsyslog restart

2.1. Sample Code and Output

In this example, we’ll log all incoming SSH traffic (port 22) to the /var/log/iptables.log file. First, we’ll add the following rule to iptables:

$ iptables -A INPUT -p tcp --dport 22 -j LOG

Next, let’s configure syslog to write iptables logs to the /var/log/iptables.log file by adding the following line to the syslog configuration file:

kern.* /var/log/iptables.log

Finally, let’s restart the syslog service to apply the changes:

$ sudo service rsyslog restart

After making these changes, we can check the /var/log/iptables.log file to see if it contains logs of incoming SSH traffic. The following is an example of what we might see in the log file:

Feb 2 11:00:01 hostname kernel: IN=eth0 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77 SRC=192.168.1.100 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63776

3. Conclusion

In this article. we learned how to configure iptables to log packets that match a certain rule and write those logs to a separate file. This can be useful for debugging purposes, as well as for security purposes, as we can keep an eye on incoming and outgoing traffic. Additionally, writing iptables logs to a separate file can help keep our system logs organized and easy to read.

We should remember to restart the syslog service after making changes to the syslog configuration file to ensure that the changes take effect.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.