So, I’ve been hating for quite some time having my dmesg cluttered by iptables logs. Yesterday I had enough and decided to clean it up.
Here it is how to do it:
First of all, you have to replace -j LOG in your rules with -j NFLOG
this will stop iptables from logging to standard syslog and switch to sending log packets via multicast. You’ll have to assign a number from 0 to 2^16-1 to the nflog_netlink multicast group, the default is 1
Plus you can associate a label to the logging rule using –nflog-prefix.
The iptable rule should resemble this:
(blablabla...) -j NFLOG --nflog-group 32 --nflog-prefix iptables
Because you won’t be using syslog anymore, you can’t just rely on rsyslogd anymore, you will need to install ulogd2. It is not mandatory, you can use whatever you like to fetch data from the multicast socket, including wireshark or writing your own code. Since I just want a different logfile, ulogd2 is perfectly fine.
sudo apt-get install ulogd
Open up /etc/ulogd.conf and check that it contains these lines:
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
(Mine’s a 64 bit install, it will probably look slightly different on 32 bit)
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
Make sure no other “stack” lines are uncommented
# Logging of system packet through NFLOG [log1] # netlink multicast group (the same as the iptables --nflog-group param) # Group O is used by the kernel to log connection tracking invalid message group=32
Make sure group=n exactly matches the –nflog-group n rule in iptables! And make sure this is the only [log1] section in the configuration file
[emu1] file="/var/log/iptables.log" #sync=1
If you want immediate logging, albeit slower, just uncomment sync=1, otherwise you might observe a small delay before the lines apper in the logfile.
Restart ulogd
sudo service ulogd restart
Voilà!
Oh and one last thing:
If your log remains empty, make sure the NFLOG rules come before the DROP rules