[CentOS] Iptables - flooding console

Wed Jul 20 17:52:59 UTC 2011
Keith Roberts <keith at karsites.net>

On Wed, 20 Jul 2011, cbulist at gmail.com wrote:

> To: centos at centos.org
> From: "cbulist at gmail.com" <cbulist at gmail.com>
> Subject: Re: [CentOS] Iptables - flooding console
> 
>
>
> On 7/20/2011 10:18 AM, Keith Roberts wrote:
>> On Wed, 20 Jul 2011, cbulist at gmail.com wrote:
>>
>>> To: centos at centos.org
>>> From: "cbulist at gmail.com"<cbulist at gmail.com>
>>> Subject: [CentOS] Iptables - flooding console
>>>
>>> Hi,
>>>
>>> We are trying to track some specific rules using  LOG as target.
>>> Everything is working well but the problem is that iptables is flooding
>>> the console with LOG messages.
>>> We tried --log level 4 on iptables rules but it didn't work.
>>> We fixed the problem changing KLOGD_OPTIONS value in
>>> /etc/sysconfig/syslog to:
>>> KLOG_OPTIONS="-c 4"
>>>
>>> Is it the best option or we are missing something?
>>>
>>> Thanks in advance
>> I had this problem as well. The firewall logs were being
>> sent (tailed/tee'd ?) to the console, which is a pain if you
>> are using mc or any other console application.
>>
>> To fix it on Centos 5.5/6 I just added the following
>> to the top of the /etc/syslog.conf file.
>>
>> Deleted these lines as not in use:
>>
>> # Log all kernel messages to the console.
>> # Logging much else clutters up the screen.
>> #kern.*                       /dev/console
>>
>>
>> Replaced with:
>> # Log all firewall messages to a file.
>> kern.=debug      /var/log/firewall-log
>>
>> Obviously you need to make sure the firewall log file
>> exists
>>
>> -rw-r--r--  keith  users    39039 Jul 20 15:24 firewall-log
>>
>> Kind Regards,
>>
> Thanks  Keith,
>
> I tried your solution but it didn't work. (man 8 syslogd describes what
> you said)
> First I returned the default value on KLOG_OPTIONS, I restarted the
> syslog service but the iptables still continuous sending the log to console.
> I forget mention the info system:
>
> CentOS 5.6
>
> [root at server_56 ~]# uname -r
> 2.6.18-238.el5
> [root at server_56 ~]# iptables -V
> iptables v1.3.5

OK Julio.

There was a kernel update last night, so here's what my 5.6 
box has got on it:

[root at karsites ~]# uname -r
2.6.18-238.19.1.el5

[root at karsites ~]# iptables -V
iptables v1.3.5

my /etc/sysconfig/syslog file is untouched by me:

###################

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details 
SYSLOGD_OPTIONS="-m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd 
to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely 
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in 
umask(1).
# By default, all permissions are removed for "group" and 
"other".

#################

The only file I alter is /etc/syslog.conf which contains:

#################

# Log all firewall messages to a file.
kern.=debug        /var/log/firewall-log

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none  /var/log/messages

# The authpriv file has restricted access.
authpriv.*         /var/log/secure

# Log all the mail messages in one place.
mail.*            -/var/log/maillog

# Log cron stuff
cron.*            /var/log/cron

# Everybody gets emergency messages
*.emerg           *

# Save news errors of level crit and higher in a special file.
uucp,news.crit   /var/log/spooler

# Save boot messages also to boot.log
local7.*         /var/log/boot.log

#################

and my IPtables rules for logging packets are:

#------------------------------------------------------#
# create a new chain for apache connections
#------------------------------------------------------#

  iptables -N open_port_80

# LOG all local connections to apache port 80
  iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 \
    -j LOG --log-level 7 --log-prefix 'Local Port 80 connects '

# ACCEPT all local connections to apache port 80
  iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 -j 
ACCEPT

#------------------------------------------------------#

Here's what I get in my firewall-log file. Just did a 
connect from localhost to check it's all working OK.

Jul 20 18:47:07 karsites kernel: Local Port 80 connects 
IN=lo OUT= MAC=00:00
:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 
DST=127.0.0.1 LEN=52 TOS=
0x00 PREC=0x00 TTL=64 ID=40422 DF PROTO=TCP SPT=59791 DPT=80 
WINDOW=386 RES=
0x00 ACK FIN URGP=0

Maybe you need to take another look at your IPtables logging 
rule?

Kind Regards,

Keith

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------