2009-08-31 12:55:43| 分类: Linux操作系统管 | 标签: |举报 |字号大中小 订阅
1)、# iptables –A INPUT –p tcp --dport 22 –j LOG --log-level 5 --log-prefix ”IPTABLES:”
--log-level :日志级别为5, --log-prefix的前缀信息为“IPTABLES:”
对于为什么日志级别为5,可能参看#man syslog的8种级别,这里面的日志级别要与iptables的--log-level 的日志级别要对应.
2)、在这里还要编辑/etc/syslog.conf配置文件
增加:kern.=notice /var/log/firewall.log 选项(kern表示内核信息; .=表示匹配; notice为消息 )
[root@localhost root]# iptables -A INPUT -p tcp -d 192.168.0.253 --dport 22 -j LOG --log-level 5 --log-prefix "IPTABLES:"
[root@localhost root]# vi /etc/syslog.conf
[root@localhost root]# cat /etc/syslog.conf |grep notice
kern.=notice /var/log/firewall.log
[root@localhost root]# man syslog |grep '<*>'
#include
#include
#include
DEFAULT_MESSAGE_LOGLEVEL - 1 (6) unless the line starts with where
ventional meaning of the loglevel is defined in as
#define KERN_EMERG "<0>" /* system is unusable */
#define KERN_ALERT "<1>" /* act
#define KERN_CRIT "<2>" /* critical conditions */
#define KERN_ERR "<3>" /* error conditions */
#define KERN_WARNING "<4>" /* warning conditions */
#define KERN_NOTICE "<5>" /* normal but significant condition */
#define KERN_INFO "<6>" /* informational */
#define KERN_DEBUG "<7>" /* debug-level messages */
[root@localhost root]# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@localhost root]# iptables -A INPUT -p tcp -d 192.168.0.253 --dport 22 -j ACCEPT
[root@localhost root]# iptables -L -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.0.253 tcp dpt:22
2 ACCEPT all -- 127.0.0.1 127.0.0.1
3 ACCEPT udp -- 0.0.0.0/0 192.168.0.253 udp spt:53 state ESTABLISHED
4 LOG tcp -- 0.0.0.0/0 192.168.0.253 tcp dpt:22 LOG flags 0 level 5 prefix `IPTABLES:'
5 ACCEPT tcp -- 0.0.0.0/0 192.168.0.253 tcp dpt:22
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.0.253 0.0.0.0/0 tcp spt:22 state ESTABLISHED
2 ACCEPT all -- 127.0.0.1 127.0.0.1
3 ACCEPT udp -- 192.168.0.253 0.0.0.0/0 udp dpt:53
[root@localhost root]# iptables -D INPUT 1 <22 INPUTstrong>
[root@localhost root]# iptables -L -n --line-numbers 重新查看iptables记录及各条记录的顺序关系~!
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 127.0.0.1 127.0.0.1
2 ACCEPT udp -- 0.0.0.0/0 192.168.0.253 udp spt:53 state ESTABLISHED
3 LOG tcp -- 0.0.0.0/0 192.168.0.253 tcp dpt:22 LOG flags 0 level 5 prefix `IPTABLES:'
4 ACCEPT tcp -- 0.0.0.0/0 192.168.0.253 tcp dpt:22
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.0.253 0.0.0.0/0 tcp spt:22 state ESTABLISHED
2 ACCEPT all -- 127.0.0.1 127.0.0.1
3 ACCEPT udp -- 192.168.0.253 0.0.0.0/0 udp dpt:53
[root@localhost root]# tail /var/log/firewall.log
Aug 6 02:44:14 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=18358 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=65483 RES=0x00 ACK PSH URGP=0
Aug 6 02:44:14 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=18363 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=65399 RES=0x00 ACK URGP=0
Aug 6 02:44:15 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=18368 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=65399 RES=0x00 ACK PSH URGP=0
Aug 6 02:44:15 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=18369 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=65535 RES=0x00 ACK URGP=0
Aug 6 02:44:15 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=18370 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=64395 RES=0x00 ACK URGP=0
Aug 6 02:44:15 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=18374 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=64327 RES=0x00 ACK URGP=0
Aug 6 02:44:33 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=144 TOS=0x00 PREC=0x00 TTL=128 ID=18883 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=64327 RES=0x00 ACK PSH URGP=0
Aug 6 02:44:34 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=18889 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=64259 RES=0x00 ACK URGP=0
Aug 6 02:44:35 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=18917 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=64259 RES=0x00 ACK PSH URGP=0
Aug 6 02:44:35 localhost kernel: IPTABLES:IN=eth0 OUT= MAC=00:0c:29:8f:07:60:00:e0:4d:b3:e3:88:08:00 SRC=192.168.0.153 DST=192.168.0.253 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=18924 DF PROTO=TCP SPT=1812 DPT=22 WINDOW=64191 RES=0x00 ACK URGP=0
注:
1)、首先确认你所要增加到LOG里面的数据包在之前没有丢弃过;
2)、然后确认在LOG前面没有ACCEPT的规则,有的话,把ACCEPT先删掉,在加入到ACCEPT到LOG的后面(也就是先经过LOG,再经过ACCEPT,不然系统日志无法记录日志信息)。