iptables's Log setting options
| Option | --log-level |
| Example | iptables -A FORWARD -p tcp -j LOG --log-level debug |
| Explanation | This is the option to tell iptables and syslog which log level to use. For a complete list of log levels read the syslog.conf manual. Normally there are the following log levels, or priorities as they are normally referred to: debug, info, notice, warning, warn, err, error, crit, alert, emerg and panic. The keyword error is the same as err, warn is the same as warning and panic is the same as emerg. Note that all three of these are deprecated, in other words do not use error, warn and panic. The priority defines the severity of the message being logged. All messages are logged through the kernel facility. In other words, setting kern.=info /var/log/iptables in your syslog.conf file and then letting all your LOG messages in iptables use log level info, would make all messages appear in the /var/log/iptables file. Note that there may be other messages here as well from other parts of the kernel that uses the info priority. For more information on logging I recommend you to read the syslog and syslog.conf man-pages as well as other HOWTOs etc. |
| Option | --log-prefix |
| Example | iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" |
| Explanation | This option tells iptables to prefix all log messages with a specific prefix, which can then easily be combined with grep or other tools to track specific problems and output from different rules. The prefix may be up to 29 letters long, including white-spaces and other special symbols. |
| Option | --log-tcp-sequence |
| Example | iptables -A INPUT -p tcp -j LOG --log-tcp-sequence |
| Explanation | This option will log the TCP Sequence numbers, together with the log message. The TCP Sequence numbers are special numbers that identify each packet and where it fits into a TCP sequence, as well as how the stream should be reassembled. Note that this option constitutes a security risk if the logs are readable by unauthorized users, or by the world for that matter. As does any log that contains output from iptables. |
| Option | --log-tcp-options |
| Example | iptables -A FORWARD -p tcp -j LOG --log-tcp-options |
| Explanation | The --log-tcp-options option logs the different options from the TCP packet headers and can be valuable when trying to debug what could go wrong, or what has actually gone wrong. This option does not take any variable fields or anything like that, just as most of the LOG options don't. |
| Option | --log-ip-options |
| Example | iptables -A FORWARD -p tcp -j LOG --log-ip-options |
| Explanation | The --log-ip-options option will log most of the IP packet header options. This works exactly the same as the --log-tcp-options option, but instead works on the IP options. These logging messages may be valuable when trying to debug or track specific culprits, as well as for debugging - in just the same way as the previous option. |
Reference:
http://www.linuxtopia.org/Linux_Firewall_iptables/x4238.html
留言