Iptables logging using NFLOG and ulogd2 on Debian Jessie

So, I’ve been hating for quite some time having my dmesg cluttered by iptables logs. Yesterday I had enough and decided to clean it up.

Here it is how to do it:

First of all, you have to replace -j LOG in your rules with -j NFLOG
this will stop iptables from logging to standard syslog and switch to sending log packets via multicast. You’ll have to assign a number from 0 to 2^16-1 to the nflog_netlink multicast group, the default is 1
Plus you can associate a label to the logging rule using –nflog-prefix.
The iptable rule should resemble this:

Because you won’t be using syslog anymore, you can’t just rely on rsyslogd anymore, you will need to install ulogd2. It is not mandatory, you can use whatever you like to fetch data from the multicast socket, including wireshark or writing your own code. Since I just want a different logfile, ulogd2 is perfectly fine.

Open up /etc/ulogd.conf and check that it contains these lines:

(Mine’s a 64 bit install, it will probably look slightly different on 32 bit)

Make sure group=n exactly matches the –nflog-group n rule in iptables! And make sure this is the only [log1] section in the configuration file

If you want immediate logging, albeit slower, just uncomment sync=1, otherwise you might observe a small delay before the lines apper in the logfile.

Restart ulogd

Voilà!

Oh and one last thing:

If your log remains empty, make sure the NFLOG rules come before the DROP rules