[CentOS] Iptables - flooding console
Keith Roberts
keith at karsites.net
Wed Jul 20 17:52:59 UTC 2011
On Wed, 20 Jul 2011, cbulist at gmail.com wrote:
> To: centos at centos.org
> From: "cbulist at gmail.com" <cbulist at gmail.com>
> Subject: Re: [CentOS] Iptables - flooding console
>
>
>
> On 7/20/2011 10:18 AM, Keith Roberts wrote:
>> On Wed, 20 Jul 2011, cbulist at gmail.com wrote:
>>
>>> To: centos at centos.org
>>> From: "cbulist at gmail.com"<cbulist at gmail.com>
>>> Subject: [CentOS] Iptables - flooding console
>>>
>>> Hi,
>>>
>>> We are trying to track some specific rules using LOG as target.
>>> Everything is working well but the problem is that iptables is flooding
>>> the console with LOG messages.
>>> We tried --log level 4 on iptables rules but it didn't work.
>>> We fixed the problem changing KLOGD_OPTIONS value in
>>> /etc/sysconfig/syslog to:
>>> KLOG_OPTIONS="-c 4"
>>>
>>> Is it the best option or we are missing something?
>>>
>>> Thanks in advance
>> I had this problem as well. The firewall logs were being
>> sent (tailed/tee'd ?) to the console, which is a pain if you
>> are using mc or any other console application.
>>
>> To fix it on Centos 5.5/6 I just added the following
>> to the top of the /etc/syslog.conf file.
>>
>> Deleted these lines as not in use:
>>
>> # Log all kernel messages to the console.
>> # Logging much else clutters up the screen.
>> #kern.* /dev/console
>>
>>
>> Replaced with:
>> # Log all firewall messages to a file.
>> kern.=debug /var/log/firewall-log
>>
>> Obviously you need to make sure the firewall log file
>> exists
>>
>> -rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log
>>
>> Kind Regards,
>>
> Thanks Keith,
>
> I tried your solution but it didn't work. (man 8 syslogd describes what
> you said)
> First I returned the default value on KLOG_OPTIONS, I restarted the
> syslog service but the iptables still continuous sending the log to console.
> I forget mention the info system:
>
> CentOS 5.6
>
> [root at server_56 ~]# uname -r
> 2.6.18-238.el5
> [root at server_56 ~]# iptables -V
> iptables v1.3.5
OK Julio.
There was a kernel update last night, so here's what my 5.6
box has got on it:
[root at karsites ~]# uname -r
2.6.18-238.19.1.el5
[root at karsites ~]# iptables -V
iptables v1.3.5
my /etc/sysconfig/syslog file is untouched by me:
###################
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd
to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in
umask(1).
# By default, all permissions are removed for "group" and
"other".
#################
The only file I alter is /etc/syslog.conf which contains:
#################
# Log all firewall messages to a file.
kern.=debug /var/log/firewall-log
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#################
and my IPtables rules for logging packets are:
#------------------------------------------------------#
# create a new chain for apache connections
#------------------------------------------------------#
iptables -N open_port_80
# LOG all local connections to apache port 80
iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 \
-j LOG --log-level 7 --log-prefix 'Local Port 80 connects '
# ACCEPT all local connections to apache port 80
iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 -j
ACCEPT
#------------------------------------------------------#
Here's what I get in my firewall-log file. Just did a
connect from localhost to check it's all working OK.
Jul 20 18:47:07 karsites kernel: Local Port 80 connects
IN=lo OUT= MAC=00:00
:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
DST=127.0.0.1 LEN=52 TOS=
0x00 PREC=0x00 TTL=64 ID=40422 DF PROTO=TCP SPT=59791 DPT=80
WINDOW=386 RES=
0x00 ACK FIN URGP=0
Maybe you need to take another look at your IPtables logging
rule?
Kind Regards,
Keith
-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
More information about the CentOS
mailing list