Ubuntu – iptables logging flooding /var/log/messages

iptableslog-filesUbuntu

I am running Ubuntu Server, pretty recent, which is set up as a NAT router.

I have an iptables script that runs during boot to set up NAT, port forwarding etc.

I am trying to diagnose an unrelated problem with the box, but /var/log/messages, /var/log/syslog and /var/log/kern.log are all flooded with messages from iptables like this:

Oct 21 11:25:27 skip kernel: [39380.812663] INPUT packet died: IN=eth1 OUT= MAC=00:40:63:d9:7c:5b:00:03:fa:a9:d7:4a:08:00 SRC=24.207.21.237 DST=94.192.123.123 LEN=111 TOS=0x00 PREC=0x00 TTL=54 ID=16494 PROTO=UDP SPT=48865 DPT=20663 LEN=91

I can't find any documentation that makes it clear how to change the way iptables logs output. What I ideally want is for NONE of the iptables stuff to go to any of the above files, but instead to /var/log/iptables.

Best Answer

It's that script. Remove the logging.

If you really want logs (and if you're not reading them then why bother?) then use ULOGD:

http://www.netfilter.org/projects/ulogd/index.html

Related Solutions

Iptables ESTABLISHED,RELATED chain problems

Netfilter has dropped the connection from the state table. One of the timeouts in /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_* has expired. I'm guessing it is nf_conntrack_tcp_timeout_last_ack.

Here is a scenario: Your web server sends a final packet with some data and fin set. The client goes comatose for 30 seconds. Netfilter removes the entry from the state table. The client wakes up and sends a fin ack that is not part of a tracked connection anymore.

I see this all the time on web servers. It is client problem.

If you want to verify that you could record the state table (/proc/net/nf_conntrack) and correlate that with the firewall log.

Edit: I had the direction reversed but the concept applies. In this case his server is making outgoing https connections so it is actually the client and the remote web server may be slow to respond.

The rule

/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT

has nothing to do with it. It is about DST port 443 and this is SPT 443.

Iptables: How to read this OPT string

0204057D010303010101080A3E521D4D0000000004020000
From a sans.org study guide,
the first 2 bytes (0x0204) 04--is-length 02 means MSS flag
the next 2 bytes (0x057D) are the value for maximum size segment (MSS)
the next byte (0x01) is a no-op
the next 2 bytes (0x0303) indicate a windows scaling is enabled

the 3 bytes ("010101") are no-ops (AKA padding)
the 2 next bytes ("080a") flag a time stamp value
the 4 next bytes (("0x3E521D4D00000000") are date time 5 * 2 bytes
the 4 next bytes ("0402") sAck Ok

The master document: ftp://ftp.ietf.org/iana/tcp-parameters/tcp-parameters.xml
Others: https://datatracker.ietf.org/doc/html/draft-ietf-tcpm-tcp-security-03
http://www.ietf.org/mail-archive/web/tcpm/current/msg03199.html

for humor! : https://www.rfc-editor.org/rfc/rfc5841

Best Answer

Related Solutions

Iptables ESTABLISHED,RELATED chain problems

Iptables: How to read this OPT string

Related Topic