iptables syslog

Discussion in 'Installation/Configuration' started by stefanr, Dec 31, 2005.

  1. stefanr

    stefanr Member

    Hello,

    my installation of the ispconfig work fine, and my welcome messages works now also, thank's on falko.
    I have another question of iptables the firewall of the ipconfig works fine (think so) but i got no log information in any log files in /var/log/.

    I have no ideas how i change this problem. How can i start the firewall of the ispconfig tool that the message from the firewall logs to /var/log/firewall.log?

    my iptables -L on the consol list this:

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere 127.0.0.0/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level info
    DROP all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level notice
    LOG all -- anywhere anywhere LOG level debug
    LOG all -- anywhere anywhere limit: avg 5/min burst 3 LOG level debug

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (16 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (3 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:www
    PAROLE tcp -- anywhere anywhere tcp dpt:81
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:10000
    PAROLE tcp -- anywhere anywhere tcp dpt:imap2
    PAROLE tcp -- anywhere anywhere tcp dpt:imaps
    PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
    PAROLE tcp -- anywhere anywhere tcp dpt:socks
    PAROLE tcp -- anywhere anywhere tcp dpt:14534
    PAROLE tcp -- anywhere anywhere tcp dpt:8767
    PAROLE tcp -- anywhere anywhere tcp dpt:1452
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (3 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere


    my /etc/syslog.conf

    # /etc/syslog.conf Configuration file for syslogd.
    #
    # For more information see syslog.conf(5)
    # manpage.

    #
    # First some standard logfiles. Log by facility.
    #

    auth,authpriv.* /var/log/auth.log
    *.*;auth,authpriv.none -/var/log/syslog
    #cron.* /var/log/cron.log
    daemon.* -/var/log/daemon.log
    #kern.* -/var/log/kern.log
    lpr.* -/var/log/lpr.log
    mail.* -/var/log/mail.log
    user.* -/var/log/user.log
    uucp.* /var/log/uucp.log
    kern.notice;kern.!warn /var/log/firewall.log
    kern.warn -/var/log/kern.log


    #
    # Logging for the mail system. Split it up so that
    # it is easy to write scripts to parse these files.
    #
    mail.info -/var/log/mail.info
    mail.warn -/var/log/mail.warn
    mail.err /var/log/mail.err

    # Logging for INN news system
    #
    news.crit /var/log/news/news.crit
    news.err /var/log/news/news.err
    news.notice -/var/log/news/news.notice

    I anyone a idea what can i do to log the firewall message in /var/log/firewall.log

    i wish anyone a happy new year.

    STEFAN
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can enable logging in the bastille firewall configuration. You must chnage the file in:

    /etc/Bastille/bastille-firewall.cfg

    and the master template:

    /root/ispconfig/isp/conf/bastille-firewall.cfg.master

    Then restart the firewall:

    /etc/init.d/bastille-firewall restart
     
  3. stefanr

    stefanr Member

    Thanks vor your fast replay..
    my file
    /etc/Bastille/bastille-firewall.cfg

    schnip
    # 2) services for which we want to log access attempts to syslog (all systems)
    # Note this only audits connection attempts from public interfaces
    #
    # Also see item 12, LOG_FAILURES
    #
    #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
    # anyone probing for BackOrifice?
    #UDP_AUDIT_SERVICES="31337"
    # how about ICMP?
    #ICMP_AUDIT_TYPES=""
    #ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
    #
    # To enable auditing, you must have syslog configured to log "kern"
    # messages of "info" level; typically you'd do this with a line in
    # syslog.conf like
    # kern.info /var/log/messages
    # though the Bastille port monitor will normally want these messages
    # logged to a named pipe instead, and the Bastille script normally
    # configures syslog for "kern.*" which catches these messages
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
    #UDP_AUDIT_SERVICES="31337"
    #ICMP_AUDIT_TYPES=""

    and this entry

    IP_LOG_LEVEL=6 # iptables/netfilter default

    schnap


    i understood this as the files ok and the logging must go, but no entry will come in anyfiles aof /var/log/

    my file /etc/sysconfig i have also changed in

    # /etc/syslog.conf Configuration file for syslogd.
    #
    # For more information see syslog.conf(5)
    # manpage.

    #
    # First some standard logfiles. Log by facility.
    #

    auth,authpriv.* /var/log/auth.log
    *.*;auth,authpriv.none -/var/log/syslog
    #cron.* /var/log/cron.log
    daemon.* -/var/log/daemon.log
    #kern.* -/var/log/kern.log
    lpr.* -/var/log/lpr.log
    mail.* -/var/log/mail.log
    user.* -/var/log/user.log
    uucp.* /var/log/uucp.log
    kern.notice;kern.!warn;kern.info /var/log/firewall.log
    kern.warn -/var/log/kern.log


    what can also goes wrong?

    after all i changes i restart /etc/init.d/sysklogd restart, and the firewall

    what can goes wrong?

    STEFAN
     
    Last edited: Dec 31, 2005
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you have to uncomment e.g. this line in the bastille configuration:

    TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"

    to log connection attempts to the listed services.

    Or you set the line:

    LOG_FAILURES="N"

    to:

    LOG_FAILURES="Y"

    if you want to log connection failures.
     
  5. stefanr

    stefanr Member


    Hey till very kind of you, but i have change the things that you say and i can't find any logs :-( what do i wrong?
    I've open iptables -A INPUT -j LOG --log-level notice,
    can this the problem i think before that the firewall is only a iptables commant..
     
  6. FeraTechInc

    FeraTechInc ISPConfig Developer ISPConfig Developer

    Uhh... well I did all this. Now... where is the log file?

    I can't find anything in /var/log There is not iptables or bastille log file?

    Can somebody help me out?
     
  7. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/Bastille/bastille-firewall.cfg?
    Have you tried to restart the firewall?
     
  8. wpwood3

    wpwood3 New Member

    Answer to an old question

    I know this is an old thread but I recently enabled logging in Bastille and finally found where it logs.

    The log entries appear in /var/log/messages

    I made some iptables rule changes and wanted to verify they were working so I edited /etc/Bastille/bastille-firewall.cfg and changed LOG_FAILURES to "Y" and then restarted Bastille with /etc/init.d/bastille-firewall restart

    Since I only plan to allow logging temporarily, I did not edit /root/ispconfig/isp/conf/bastille-firewall.cfg.master. As till mentioned, you have to edit this file, too if you don't want your changes to be overwritten when you reboot.

    A word of warning...
    Turning this on can generate LOTS of log entries in a very short period of time. I would not advise setting LOG_FAILURES="Y" and forgetting about it!
     
    Last edited: Jan 29, 2008

Share This Page