以下是我过去为打开 iptables 日志记录而采取的一般步骤。
Run Code Online (Sandbox Code Playgroud)Modify Logging - sudo vi /etc/syslog.conf - kern.warning /var/log/iptables.log - sudo /sbin/service syslog restart - sudo vi /etc/logrotate.d/syslog - If this file is already there, add /var/log/iptables.log to the first line - If the file is not there, add it:Run Code Online (Sandbox Code Playgroud)/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/iptables.log { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript }Run Code Online (Sandbox Code Playgroud)Implement firewall rules • sudo vi /etc/sysconfig/iptables.script • sudo chmod 700 /etc/sysconfig/iptables.script • sudo /etc/sysconfig/iptables.script
在我的 iptables 脚本中,我在顶部有所有通用的允许规则,然后在底部有一些特定的日志记录规则。下面是几个例子。
# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "
# Log outbound traffic for anything not equal private ip ranges (this is defined in some previous rules)
/sbin/iptables -A OUTPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Outbound Traffic: "
# Log traffic that doesn't hit a rule above (stuff that may be blocked in the future)
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Potentially Dropped Traffic: "
显然,你可以用它做很多事情。这是一些通用信息的好链接。