On Wed, 20 Jul 2011, cbulist at gmail.com wrote: > To: centos at centos.org > From: "cbulist at gmail.com" <cbulist at gmail.com> > Subject: Re: [CentOS] Iptables - flooding console > > > > On 7/20/2011 10:18 AM, Keith Roberts wrote: >> On Wed, 20 Jul 2011, cbulist at gmail.com wrote: >> >>> To: centos at centos.org >>> From: "cbulist at gmail.com"<cbulist at gmail.com> >>> Subject: [CentOS] Iptables - flooding console >>> >>> Hi, >>> >>> We are trying to track some specific rules using LOG as target. >>> Everything is working well but the problem is that iptables is flooding >>> the console with LOG messages. >>> We tried --log level 4 on iptables rules but it didn't work. >>> We fixed the problem changing KLOGD_OPTIONS value in >>> /etc/sysconfig/syslog to: >>> KLOG_OPTIONS="-c 4" >>> >>> Is it the best option or we are missing something? >>> >>> Thanks in advance >> I had this problem as well. The firewall logs were being >> sent (tailed/tee'd ?) to the console, which is a pain if you >> are using mc or any other console application. >> >> To fix it on Centos 5.5/6 I just added the following >> to the top of the /etc/syslog.conf file. >> >> Deleted these lines as not in use: >> >> # Log all kernel messages to the console. >> # Logging much else clutters up the screen. >> #kern.* /dev/console >> >> >> Replaced with: >> # Log all firewall messages to a file. >> kern.=debug /var/log/firewall-log >> >> Obviously you need to make sure the firewall log file >> exists >> >> -rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log >> >> Kind Regards, >> > Thanks Keith, > > I tried your solution but it didn't work. (man 8 syslogd describes what > you said) > First I returned the default value on KLOG_OPTIONS, I restarted the > syslog service but the iptables still continuous sending the log to console. > I forget mention the info system: > > CentOS 5.6 > > [root at server_56 ~]# uname -r > 2.6.18-238.el5 > [root at server_56 ~]# iptables -V > iptables v1.3.5 OK Julio. There was a kernel update last night, so here's what my 5.6 box has got on it: [root at karsites ~]# uname -r 2.6.18-238.19.1.el5 [root at karsites ~]# iptables -V iptables v1.3.5 my /etc/sysconfig/syslog file is untouched by me: ################### # Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-x" # SYSLOG_UMASK=077 # set this to a umask value to use for all log files as in umask(1). # By default, all permissions are removed for "group" and "other". ################# The only file I alter is /etc/syslog.conf which contains: ################# # Log all firewall messages to a file. kern.=debug /var/log/firewall-log # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log ################# and my IPtables rules for logging packets are: #------------------------------------------------------# # create a new chain for apache connections #------------------------------------------------------# iptables -N open_port_80 # LOG all local connections to apache port 80 iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 \ -j LOG --log-level 7 --log-prefix 'Local Port 80 connects ' # ACCEPT all local connections to apache port 80 iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 -j ACCEPT #------------------------------------------------------# Here's what I get in my firewall-log file. Just did a connect from localhost to check it's all working OK. Jul 20 18:47:07 karsites kernel: Local Port 80 connects IN=lo OUT= MAC=00:00 :00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS= 0x00 PREC=0x00 TTL=64 ID=40422 DF PROTO=TCP SPT=59791 DPT=80 WINDOW=386 RES= 0x00 ACK FIN URGP=0 Maybe you need to take another look at your IPtables logging rule? Kind Regards, Keith ----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------