On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com" cbulist@gmail.com Subject: Re: [CentOS] Iptables - flooding console
On 7/20/2011 10:18 AM, Keith Roberts wrote:
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com"cbulist@gmail.com Subject: [CentOS] Iptables - flooding console
Hi,
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages. We tried --log level 4 on iptables rules but it didn't work. We fixed the problem changing KLOGD_OPTIONS value in /etc/sysconfig/syslog to: KLOG_OPTIONS="-c 4"
Is it the best option or we are missing something?
Thanks in advance
I had this problem as well. The firewall logs were being sent (tailed/tee'd ?) to the console, which is a pain if you are using mc or any other console application.
To fix it on Centos 5.5/6 I just added the following to the top of the /etc/syslog.conf file.
Deleted these lines as not in use:
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console
Replaced with: # Log all firewall messages to a file. kern.=debug /var/log/firewall-log
Obviously you need to make sure the firewall log file exists
-rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log
Kind Regards,
Thanks Keith,
I tried your solution but it didn't work. (man 8 syslogd describes what you said) First I returned the default value on KLOG_OPTIONS, I restarted the syslog service but the iptables still continuous sending the log to console. I forget mention the info system:
CentOS 5.6
[root@server_56 ~]# uname -r 2.6.18-238.el5 [root@server_56 ~]# iptables -V iptables v1.3.5
OK Julio.
There was a kernel update last night, so here's what my 5.6 box has got on it:
[root@karsites ~]# uname -r 2.6.18-238.19.1.el5
[root@karsites ~]# iptables -V iptables v1.3.5
my /etc/sysconfig/syslog file is untouched by me:
###################
# Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-x" # SYSLOG_UMASK=077 # set this to a umask value to use for all log files as in umask(1). # By default, all permissions are removed for "group" and "other".
#################
The only file I alter is /etc/syslog.conf which contains:
#################
# Log all firewall messages to a file. kern.=debug /var/log/firewall-log
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access. authpriv.* /var/log/secure
# Log all the mail messages in one place. mail.* -/var/log/maillog
# Log cron stuff cron.* /var/log/cron
# Everybody gets emergency messages *.emerg *
# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log local7.* /var/log/boot.log
#################
and my IPtables rules for logging packets are:
#------------------------------------------------------# # create a new chain for apache connections #------------------------------------------------------#
iptables -N open_port_80
# LOG all local connections to apache port 80 iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 \ -j LOG --log-level 7 --log-prefix 'Local Port 80 connects '
# ACCEPT all local connections to apache port 80 iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 -j ACCEPT
#------------------------------------------------------#
Here's what I get in my firewall-log file. Just did a connect from localhost to check it's all working OK.
Jul 20 18:47:07 karsites kernel: Local Port 80 connects IN=lo OUT= MAC=00:00 :00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS= 0x00 PREC=0x00 TTL=64 ID=40422 DF PROTO=TCP SPT=59791 DPT=80 WINDOW=386 RES= 0x00 ACK FIN URGP=0
Maybe you need to take another look at your IPtables logging rule?
Kind Regards,
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------