The LOG target is specially designed for logging detailed
information about packets. These could, for example, be considered as illegal.
Or, logging can be used purely for bug hunting and error finding. The
LOG target will return specific information on packets,
such as most of the IP headers and other information considered interesting.
It does this via the kernel logging facility, normally
syslogd. This information may then be read directly with
dmesg, or from the syslogd logs, or with
other programs or applications. This is an excellent target to use to debug
your rule-sets, so that you can see what packets go where and what rules are
applied on what packets. Note as well that it could be a really great idea to
use the LOG target instead of the DROP
target while you are testing a rule you are not 100% sure about on a
production firewall, since a syntax error in the rule-sets could otherwise
cause severe connectivity problems for your users. Also note that the
ULOG target may be interesting if you are using really
extensive logging, since the ULOG target has support for
direct logging to MySQL databases and suchlike.
Note that if you get undesired logging direct to consoles, this is not
an iptables or Netfilter
problem, but rather a problem caused by your syslogd configuration - most
probably /etc/syslog.conf. Read more in man
syslog.conf for information about this kind of problem.
You may also need to tweak your dmesg settings.
dmesg is the command that changes which errors from the
kernel that should be shown on the console. dmesg -n 1
should prevent all messages from showing up on the console, except panic
messages. The dmesg message levels matches exactly the syslogd levels, and it
only works on log messages from the kernel facility. For more information,
see man dmesg.
The LOG target currently takes five options that could be
of interest if you have specific information needs, or want to set different
options to specific values. They are all listed below.
Table 11-5. LOG target options
iptables -A FORWARD -p tcp -j LOG --log-level
This is the option to tell iptables and
syslog which log level to use. For a complete list of log
levels read the syslog.conf manual. Normally there are
the following log levels, or priorities as they are normally referred to:
alert, emerg and
panic. The keyword error is
the same as err, warn is the
same as warning and panic is
the same as emerg. Note that all three of these are
deprecated, in other words do not use error,
warn and panic. The priority
defines the severity of the message being logged. All messages are logged
through the kernel facility. In other words, setting kern.=info
/var/log/iptables in your syslog.conf file and
then letting all your LOG messages in
iptables use log level info, would make all messages appear
in the /var/log/iptables file. Note that there may be
other messages here as well from other parts of the kernel that uses the info
priority. For more information on logging I recommend you to read the
syslog and syslog.conf man-pages as
well as other HOWTOs etc.
||iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT
This option tells iptables to prefix all log
messages with a specific prefix, which can then easily be combined with
grep or other tools to track specific problems and output
from different rules. The prefix may be up to 29 letters long, including
white-spaces and other special symbols.
||iptables -A INPUT -p tcp -j LOG
This option will log the TCP Sequence
numbers, together with the log message. The TCP
Sequence numbers are special numbers that identify each packet and
where it fits into a TCP sequence, as well as how the
stream should be reassembled. Note that this option constitutes a security
risk if the logs are readable by unauthorized users, or by the world for that
matter. As does any log that contains output from iptables.
||iptables -A FORWARD -p tcp -j LOG
The --log-tcp-options option logs the
different options from the TCP packet headers and can
be valuable when trying to debug what could go wrong, or what has actually
gone wrong. This option does not take any variable fields or anything like
that, just as most of the LOG options don't.
||iptables -A FORWARD -p tcp -j LOG
The --log-ip-options option will log most of
the IP packet header options. This works exactly the same as the
--log-tcp-options option, but instead works on the IP
options. These logging messages may be valuable when trying to debug or track
specific culprits, as well as for debugging - in just the same way as the
Works under Linux kernel 2.3, 2.4, 2.5 and 2.6.