Because of the better overview I would have the firewall logging in a separate file. Here a first try with rsyslog.
Modify the logging options in fwbuilder
In the fwbuilder, a log prefix can be set for the rule options. For example “NETFILTER “.
Yes, there is a blank at the end. 🙂
In the compiled file the log entry looks like this:
$IPTABLES -A In_RULE_0 -j LOG –log-level info –log-prefix “NETFILTER ”
The global configurationfile /etc/rsyslog.conf includes all config files in the directoy /etc/rsyslog.d/.
Create a file “10_iptables.conf ” with the following content:
:msg,regex,"NETFILTER" -/var/log/netfilter.log & ~
root@debian-iptables1 /etc/rsyslog.d # service rsyslog restart
root@debian-iptables1 /etc/rsyslog.d # tail -f /var/log/messages Mar 25 22:48:18 debian-iptables1 kernel: [14298.362960] NETFILTER IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:e8:94:f6:af:67:96:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=44531 DPT=7437 LEN=181 Mar 25 22:48:21 debian-iptables1 kernel: [14301.308150] NETFILTER IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:54:88:0e:08:32:08:08:00 SRC=192.168.1.101 DST=192.168.1.255 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=50271 DPT=15600 LEN=47
Tip from the practice
Like the management with fwbuilder, I want to centralize the logging. It is important that I can later easily distinguish, to which firewall the entries belong
This approach brought me to the following syntax
Where xy is the consecutive numbering of the firewalls and <description> a meaningful description of the rule, for example
So I can always use the same file on any firewall for rsyslog:
:msg,regex,"IPTABLES-" -/var/log/netfilter.log & ~