[CentOS] Iptables - flooding console

Wed Jul 20 18:12:57 UTC 2011
cbulist at gmail.com <cbulist at gmail.com>


On 7/20/2011 12:52 PM, Keith Roberts wrote:
> On Wed, 20 Jul 2011, cbulist at gmail.com wrote:
>
>> To: centos at centos.org
>> From: "cbulist at gmail.com"<cbulist at gmail.com>
>> Subject: Re: [CentOS] Iptables - flooding console
>>
>>
>>
>> On 7/20/2011 10:18 AM, Keith Roberts wrote:
>>> On Wed, 20 Jul 2011, cbulist at gmail.com wrote:
>>>
>>>> To: centos at centos.org
>>>> From: "cbulist at gmail.com"<cbulist at gmail.com>
>>>> Subject: [CentOS] Iptables - flooding console
>>>>
>>>> Hi,
>>>>
>>>> We are trying to track some specific rules using  LOG as target.
>>>> Everything is working well but the problem is that iptables is flooding
>>>> the console with LOG messages.
>>>> We tried --log level 4 on iptables rules but it didn't work.
>>>> We fixed the problem changing KLOGD_OPTIONS value in
>>>> /etc/sysconfig/syslog to:
>>>> KLOG_OPTIONS="-c 4"
>>>>
>>>> Is it the best option or we are missing something?
>>>>
>>>> Thanks in advance
>>> I had this problem as well. The firewall logs were being
>>> sent (tailed/tee'd ?) to the console, which is a pain if you
>>> are using mc or any other console application.
>>>
>>> To fix it on Centos 5.5/6 I just added the following
>>> to the top of the /etc/syslog.conf file.
>>>
>>> Deleted these lines as not in use:
>>>
>>> # Log all kernel messages to the console.
>>> # Logging much else clutters up the screen.
>>> #kern.*                       /dev/console
>>>
>>>
>>> Replaced with:
>>> # Log all firewall messages to a file.
>>> kern.=debug      /var/log/firewall-log
>>>
>>> Obviously you need to make sure the firewall log file
>>> exists
>>>
>>> -rw-r--r--  keith  users    39039 Jul 20 15:24 firewall-log
>>>
>>> Kind Regards,
>>>
>> Thanks  Keith,
>>
>> I tried your solution but it didn't work. (man 8 syslogd describes what
>> you said)
>> First I returned the default value on KLOG_OPTIONS, I restarted the
>> syslog service but the iptables still continuous sending the log to console.
>> I forget mention the info system:
>>
>> CentOS 5.6
>>
>> [root at server_56 ~]# uname -r
>> 2.6.18-238.el5
>> [root at server_56 ~]# iptables -V
>> iptables v1.3.5
> OK Julio.
>
> There was a kernel update last night, so here's what my 5.6
> box has got on it:
>
> [root at karsites ~]# uname -r
> 2.6.18-238.19.1.el5
>
> [root at karsites ~]# iptables -V
> iptables v1.3.5
>
> my /etc/sysconfig/syslog file is untouched by me:
>
> ###################
>
> # Options to syslogd
> # -m 0 disables 'MARK' messages.
> # -r enables logging from remote machines
> # -x disables DNS lookups on messages recieved with -r
> # See syslogd(8) for more details
> SYSLOGD_OPTIONS="-m 0"
> # Options to klogd
> # -2 prints all kernel oops messages twice; once for klogd
> to decode, and
> #    once for processing with 'ksymoops'
> # -x disables all klogd processing of oops messages entirely
> # See klogd(8) for more details
> KLOGD_OPTIONS="-x"
> #
> SYSLOG_UMASK=077
> # set this to a umask value to use for all log files as in
> umask(1).
> # By default, all permissions are removed for "group" and
> "other".
>
> #################
>
> The only file I alter is /etc/syslog.conf which contains:
>
> #################
>
> # Log all firewall messages to a file.
> kern.=debug        /var/log/firewall-log
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none  /var/log/messages
>
> # The authpriv file has restricted access.
> authpriv.*         /var/log/secure
>
> # Log all the mail messages in one place.
> mail.*            -/var/log/maillog
>
> # Log cron stuff
> cron.*            /var/log/cron
>
> # Everybody gets emergency messages
> *.emerg           *
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit   /var/log/spooler
>
> # Save boot messages also to boot.log
> local7.*         /var/log/boot.log
>
> #################
>
> and my IPtables rules for logging packets are:
>
> #------------------------------------------------------#
> # create a new chain for apache connections
> #------------------------------------------------------#
>
>    iptables -N open_port_80
>
> # LOG all local connections to apache port 80
>    iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 \
>      -j LOG --log-level 7 --log-prefix 'Local Port 80 connects '
>
> # ACCEPT all local connections to apache port 80
>    iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 -j
> ACCEPT
>
> #------------------------------------------------------#
>
> Here's what I get in my firewall-log file. Just did a
> connect from localhost to check it's all working OK.
>
> Jul 20 18:47:07 karsites kernel: Local Port 80 connects
> IN=lo OUT= MAC=00:00
> :00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> DST=127.0.0.1 LEN=52 TOS=
> 0x00 PREC=0x00 TTL=64 ID=40422 DF PROTO=TCP SPT=59791 DPT=80
> WINDOW=386 RES=
> 0x00 ACK FIN URGP=0
>
> Maybe you need to take another look at your IPtables logging
> rule?
>
> Kind Regards,
>
> Keith
>
> -----------------------------------------------------------------

Keith and Daniel,

Thanks so much for your help!.

Keith you are right. I had --log-level 4 in the iptables rules because I 
played with that option in order to fix the problem. Now, it's working well.
I didn't update the kernel.

Sincerely,

Julio