Logging packets dropped with nfq_set_verdict2(NF_DROP)
In my application, I take the packets from netfilter to userspace with NFQUEU, and then I compare it with my criteria and drop or accept packets through NF_DROP or NF_ACCEPT in nfq_set_verdict2 function.I want to log the dropped packets in regular iptables log format.How can I achieve this?
For the purpose to log the dropped packets create a new chain that will drop every packet it receives. redirect all those packets that you want to drop to the new chain and use logging syntax while declaration of the new chain
iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 iptables -A LOGGING -j DROP
line#3: -m limit: This uses the limit matching module. Using this you can limit the logging using –limit option.
–limit 2/min: This indicates the maximum average matching rate for logging. In this example, for the similar packets it will limit logging to 2 per minute. You can also specify 2/second, 2/minute, 2/hour, 2/day. This is helpful when you don’t want to clutter your log messages with repeated messages of the same dropped packets.
-j LOG: This indicates that the target for this packet is LOG. i.e write to the log file.
–log-prefix “IPTables-Dropped: ” You can specify any log prefix, which will be appended to the log messages that will be written to the /var/log/messages file
–log-level 4 This is the standard syslog levels. 4 is warning. You can use number from the range 0 through 7. 0 is emergency and 7 is debug.
iptables -A LOGGING -j DROP: Finally, drop all the packets that came to the LOGGING chain. i.e now it really drops the incoming packets.