iptables logging flooding /var/log/messages
I am running Ubuntu Server, pretty recent, which is set up as a NAT router.
I have an iptables script that runs during boot to set up NAT, port forwarding etc.
I am trying to diagnose an unrelated problem with the box, but /var/log/messages, /var/log/syslog and /var/log/kern.log are all flooded with messages from iptables like this:
Oct 21 11:25:27 skip kernel: [39380.812663] INPUT packet died: IN=eth1 OUT= MAC=00:40:63:d9:7c:5b:00:03:fa:a9:d7:4a:08:00 SRC=24.207.21.237 DST=94.192.123.123 LEN=111 TOS=0x00 PREC=0x00 TTL=54 ID=16494 PROTO=UDP SPT=48865 DPT=20663 LEN=91
I can't find any documentation that makes it clear how to change the way iptables logs output. What I ideally want is for NONE of the iptables stuff to go to any of the above files, but instead to /var/log/iptables.
Solution 1:
It's that script. Remove the logging.
If you really want logs (and if you're not reading them then why bother?) then use ULOGD:
http://www.netfilter.org/projects/ulogd/index.html
Solution 2:
I can't find any documentation that makes it clear how to change the way iptables logs output. What I ideally want is for NONE of the iptables stuff to go to any of the above files, but instead to /var/log/iptables.
By default iptables stuff gets sent to syslog with a facility of kern and a priority of info.
You could choose to switch to a more advanced syslog and then build a filter based on a pattern, or you could just send all the kern.info stuff to /var/log/iptables. You may get things other then iptables in your iptables log.
Assuming you haven't already replaced the syslog that is installed. You might want to make changes like want are shown by the diff below.
--- syslog.conf 2008-08-29 17:40:57.000000000 -0700
+++ syslog.conf.tmp 2009-10-21 10:06:14.000000000 -0700
@@ -8,14 +8,17 @@
#
auth,authpriv.* /var/log/auth.log
-*.*;auth,authpriv.none -/var/log/syslog
+*.*;kern.!info;\
+ auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
-kern.* -/var/log/kern.log
+kern.*;kern.!info -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
+kern.info -/var/log/iptables.log
+
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
@@ -37,6 +40,7 @@
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warning;\
+ kern.!info;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
By editing your iptables rules you can change the priority of the log entries being sent to the syslog and you can add a prefix to filter on with a more advanced syslog.
Or you can use the ULOG target like LapTop006 mentioned and then pass it off to a user space daemon like ulogd, specter, or others.