prevent iptables LOG target from flooding dmesg

prevent iptables LOG target from flooding dmesg

[Thanasis]

The subject says it all.
I have set up logging like so :
--------------------------------------------------------------------------------------------------------------------
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP
INVALID " --log-ip-options --log-tcp-options
iptables -A INPUT -i $INTIF ! -s $LAN -j LOG --log-prefix "SPOOFED PKT "
iptables -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP
INVALID " --log-ip-options --log-tcp-options
iptables -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options
iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP
INVALID " --log-ip-options --log-tcp-options
iptables -A FORWARD -i $INTIF ! -s $LAN -j LOG --log-prefix "SPOOFED PKT "
iptables -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options
--log-tcp-options
--------------------------------------------------------------------------------------------------------------------
and dmesg is flooded by DROP log messages etc.
I have NETFILTER_NETLINK_LOG [=m]
in the kenel config, but I don't know how to use it,
(and what the module name is).
Any pointers/help will be much appreciated.

Re: prevent iptables LOG target from flooding dmesg

[Thanasis]

on 06/06/2010 12:43 AM Curby wrote the following:
> The problem may be that you're not sure what you should be logging.
> The rules are probably working as expected, but the rules as written
> are bound to be verbose.
> Why do you have these rules?  In short, why is it important to you to
> log everything that's not going through the loopback interface?
> Depending on where these rules exist in your chains, they may even log
> packets that you will accept, in which case the "DROP" log prefix is
> incorrect.
>
> I think it may be time to go back to the drawing board.  Consider
> carefully what you want to log, and then develop new rules to only log
> those packets.  The full ruleset may help us help you further.
>
> --Mike
Here is the full ruleset:

# Generated by iptables-save v1.4.6 on Sun Jun  6 01:00:20 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID "
--log-tcp-options --log-ip-options
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -s 192.168.0.0/24 -i bond0 -j LOG --log-prefix "SPOOFED PKT "
-A INPUT ! -s 192.168.0.0/24 -i bond0 -j DROP
-A INPUT -i bond0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i bond0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -i bond0 -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT
-A INPUT -i bond0 -p tcp -m tcp --dport 67 -m state --state NEW -j ACCEPT
-A INPUT -i bond0 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -i bond0 -p tcp -m tcp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i bond0 -p tcp -m tcp --dport 8888
--tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i bond0 -p tcp -m tcp --dport 8080
--tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i bond0 -p tcp -m tcp --dport 3551
--tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -m limit --limit 10/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-tcp-options
--log-ip-options
-A INPUT -i lo -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID "
--log-tcp-options --log-ip-options
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -s 192.168.0.0/24 -i bond0 -j LOG --log-prefix "SPOOFED PKT "
-A FORWARD ! -s 192.168.0.0/24 -i bond0 -j DROP
-A FORWARD -s 192.168.0.0/24 -i bond0 -m state --state NEW -j ACCEPT
-A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-tcp-options
--log-ip-options
-A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID "
--log-tcp-options --log-ip-options
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-tcp-options
--log-ip-options
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Sun Jun  6 01:00:20 2010
# Generated by iptables-save v1.4.6 on Sun Jun  6 01:00:20 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i bond0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Sun Jun  6 01:00:20 2010
# Generated by iptables-save v1.4.6 on Sun Jun  6 01:00:20 2010
*mangle
:PREROUTING ACCEPT [5075158:1310503988]
:INPUT ACCEPT [952099:738925140]
:FORWARD ACCEPT [4112581:569194430]
:OUTPUT ACCEPT [932258:673687313]
:POSTROUTING ACCEPT [5042726:1242782393]
-A PREROUTING -p icmp -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p icmp -j RETURN
COMMIT
# Completed on Sun Jun  6 01:00:20 2010

Re: prevent iptables LOG target from flooding dmesg

[Robby Workman]

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

On Sat, 05 Jun 2010 23:42:21 +0300
Thanasis <thanasis@asyr.hopto.org> wrote:

> ...
> and dmesg is flooded by DROP log messages etc.
> ...


  1) Do you really *care* about most of what you're logging?
 1a) If so, why?

  2) Install ulogd and use -j ULOG instead of -j LOG.

-RW

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: prevent iptables LOG target from flooding dmesg

[Thanasis]

on 06/06/2010 06:03 AM Robby Workman wrote the following:
> On Sat, 05 Jun 2010 23:42:21 +0300
> Thanasis <thanasis@asyr.hopto.org> wrote:
>
>> ...
>> and dmesg is flooded by DROP log messages etc.
>> ...
>
>
>   1) Do you really *care* about most of what you're logging?
>  1a) If so, why?
Yes and no, because it's a recent install, and I would like to watch
closer, at least for a while ...
>
>   2) Install ulogd and use -j ULOG instead of -j LOG.
I have read about ulog but the kernel config help says for ULOG that it
is deprecated:

"CONFIG_IP_NF_TARGET_ULOG:
This option enables the old IPv4-only "ipt_ULOG" implementation │
│ which has been obsoleted by the new "nfnetlink_log" code (see │
│ CONFIG_NETFILTER_NETLINK_LOG). "

That is why I was asking about CONFIG_NETFILTER_NETLINK_LOG in the fist
place...

Re: prevent iptables LOG target from flooding dmesg

[lists]

On Sat, 2010-06-05 at 23:42 +0300, Thanasis wrote:
> The subject says it all.
> I have set up logging like so :
> --------------------------------------------------------------------------------------------------------------------
> iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP
> INVALID " --log-ip-options --log-tcp-options
> iptables -A INPUT -i $INTIF ! -s $LAN -j LOG --log-prefix "SPOOFED PKT "
> iptables -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options
> --log-tcp-options
> iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP
> INVALID " --log-ip-options --log-tcp-options
> iptables -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options
> --log-tcp-options
> iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP
> INVALID " --log-ip-options --log-tcp-options
> iptables -A FORWARD -i $INTIF ! -s $LAN -j LOG --log-prefix "SPOOFED PKT "
> iptables -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options
> --log-tcp-options
> --------------------------------------------------------------------------------------------------------------------
> and dmesg is flooded by DROP log messages etc.
> I have NETFILTER_NETLINK_LOG [=m]
> in the kenel config, but I don't know how to use it,
> (and what the module name is).
> Any pointers/help will be much appreciated.

You can limit how much is logged with the 'limit' match. Doing this you
might lose some information but you might be okay with that. The 'limit'
match can be used like this:

$ipt [...] -m limit --limit 3/second [...]

However, I don't know if that's what you want.


--
Rob

Re: prevent iptables LOG target from flooding dmesg

[Thanasis]

on 06/06/2010 10:09 AM lists@sterenborg.info wrote the following:
> On Sat, 2010-06-05 at 23:42 +0300, Thanasis wrote:
>> The subject says it all.
>> I have set up logging like so :
>> --------------------------------------------------------------------------------------------------------------------
>> iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP
>> INVALID " --log-ip-options --log-tcp-options
>> iptables -A INPUT -i $INTIF ! -s $LAN -j LOG --log-prefix "SPOOFED PKT "
>> iptables -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options
>> --log-tcp-options
>> iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP
>> INVALID " --log-ip-options --log-tcp-options
>> iptables -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options
>> --log-tcp-options
>> iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP
>> INVALID " --log-ip-options --log-tcp-options
>> iptables -A FORWARD -i $INTIF ! -s $LAN -j LOG --log-prefix "SPOOFED PKT "
>> iptables -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options
>> --log-tcp-options
>> --------------------------------------------------------------------------------------------------------------------
>> and dmesg is flooded by DROP log messages etc.
>> I have NETFILTER_NETLINK_LOG [=m]
>> in the kenel config, but I don't know how to use it,
>> (and what the module name is).
>> Any pointers/help will be much appreciated.
>
> You can limit how much is logged with the 'limit' match. Doing this you
> might lose some information but you might be okay with that. The 'limit'
> match can be used like this:
>
> $ipt [...] -m limit --limit 3/second [...]
>
> However, I don't know if that's what you want.
>
My problem is _not_the_number_ of messages that I get from iptables, but
the fact that _lots_ of them are logged in buffer of the kernel filling
it, to the point that I loose all important info/warnings that I should
be able to see with dmesg.

eg. this is all that I get by dmesg now:
(I have hidden some of the IPs for security reasons)

# dmesg
5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=15659 PROTO=UDP
SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15659 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15660 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15660 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128
ID=15663 PROTO=UDP SPT=138 DPT=138 LEN=209
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128
ID=15663 PROTO=UDP SPT=138 DPT=138 LEN=209
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15668 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15668 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15669 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15669 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15670 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15670 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15671 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15671 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15672 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15672 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15673 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15673 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15674 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15674 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15675 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15675 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15676 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15676 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15677 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15677 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15678 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15678 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15679 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15679 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15680 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15680 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15681 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15681 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15682 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15682 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128
ID=15685 PROTO=UDP SPT=138 DPT=138 LEN=209
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128
ID=15685 PROTO=UDP SPT=138 DPT=138 LEN=209
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=92.249.130.158 DST=YY.YYY.YYY.YYY LEN=64
TOS=0x00 PREC=0x00 TTL=35 ID=36826 DF PROTO=TCP SPT=2867 DPT=135
WINDOW=53760 RES=0x00 SYN URGP=0 OPT
(020405A0010303030101080A000000000000000001010402)
DROP IN=ppp0 OUT= MAC= SRC=92.249.130.158 DST=YY.YYY.YYY.YYY LEN=64
TOS=0x00 PREC=0x00 TTL=35 ID=37606 DF PROTO=TCP SPT=2867 DPT=135
WINDOW=53760 RES=0x00 SYN URGP=0 OPT
(020405A0010303030101080A000000000000000001010402)
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15689 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15689 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15690 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15690 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15691 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15691 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15692 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15692 PROTO=UDP SPT=137 DPT=137 LEN=58
SPOOFED PKT IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:25:43:7f:93:08:00
SRC=0.0.0.0 DST=255.255.255.255 LEN=355 TOS=0x00 PREC=0x00 TTL=64
ID=36184 PROTO=UDP SPT=68 DPT=67 LEN=335
SPOOFED PKT IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:25:43:7f:93:08:00
SRC=0.0.0.0 DST=255.255.255.255 LEN=355 TOS=0x00 PREC=0x00 TTL=64
ID=36184 PROTO=UDP SPT=68 DPT=67 LEN=335
DROP IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:25:43:7f:93:08:00
SRC=0.0.0.0 DST=255.255.255.255 LEN=355 TOS=0x00 PREC=0x00 TTL=64
ID=36184 PROTO=UDP SPT=68 DPT=67 LEN=335
SPOOFED PKT IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:25:43:7f:93:08:00
SRC=0.0.0.0 DST=255.255.255.255 LEN=367 TOS=0x00 PREC=0x00 TTL=64
ID=25448 PROTO=UDP SPT=68 DPT=67 LEN=347
SPOOFED PKT IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:25:43:7f:93:08:00
SRC=0.0.0.0 DST=255.255.255.255 LEN=367 TOS=0x00 PREC=0x00 TTL=64
ID=25448 PROTO=UDP SPT=68 DPT=67 LEN=347
DROP IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:25:43:7f:93:08:00
SRC=0.0.0.0 DST=255.255.255.255 LEN=367 TOS=0x00 PREC=0x00 TTL=64
ID=25448 PROTO=UDP SPT=68 DPT=67 LEN=347
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15693 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15693 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15694 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15694 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15695 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15695 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15696 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15696 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15697 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=15697 PROTO=UDP SPT=138 DPT=138 LEN=182
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15698 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15698 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15699 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15699 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15700 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15700 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15701 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15701 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15702 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15702 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15703 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=15703 PROTO=UDP SPT=137 DPT=137 LEN=58
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=ppp0 OUT= MAC= SRC=218.25.11.207 DST=YY.YYY.YYY.YYY LEN=40
TOS=0x00 PREC=0x00 TTL=107 ID=61402 PROTO=TCP SPT=6000 DPT=1433
WINDOW=16384 RES=0x00 SYN URGP=0
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128
ID=15707 PROTO=UDP SPT=138 DPT=138 LEN=209
DROP IN=bond0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0a:48:08:29:8b:08:00
SRC=192.168.0.5 DST=192.168.0.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128
ID=15707 PROTO=UDP SPT=138 DPT=138 LEN=209
DROP IN=ppp0 OUT= MAC= SRC=58.247.163.220 DST=YY.YYY.YYY.YYY LEN=30
TOS=0x00 PREC=0x00 TTL=114 ID=3635 PROTO=UDP SPT=9739 DPT=4672 LEN=10
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
DROP INVALID IN=ppp0 OUT= MAC= SRC=209.132.180.67 DST=YY.YYY.YYY.YYY
LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=35728 DPT=25
WINDOW=0 RES=0x00 RST URGP=0
DROP IN=ppp0 OUT= MAC= SRC=XX.XXX.X.XXX DST=224.0.0.1 LEN=32 TOS=0x00
PREC=0x00 TTL=1 ID=0 OPT (94040000) PROTO=2
#

Re: prevent iptables LOG target from flooding dmesg

[Jan Engelhardt]

On Sunday 2010-06-06 07:26, Thanasis wrote:
>>
>>   2) Install ulogd and use -j ULOG instead of -j LOG.
>I have read about ulog but the kernel config help says for ULOG that it
>is deprecated:

Try -j NFLOG.

Re: prevent iptables LOG target from flooding dmesg

[Thanasis]

on 06/06/2010 02:31 PM Jan Engelhardt wrote the following:
>
> On Sunday 2010-06-06 07:26, Thanasis wrote:
>>>
>>>   2) Install ulogd and use -j ULOG instead of -j LOG.
>> I have read about ulog but the kernel config help says for ULOG that it
>> is deprecated:
>
> Try -j NFLOG.
>
>
I installed ulogd2, as suggested in
http://www.netfilter.org/projects/libnetfilter_log/
... but I cannot start it.

(# ulogd -V
ulogd Version 2.0.0beta
Copyright (C) 2000-2005 Harald Welte <laforge@netfilter.org>)

Here is what /var/log/ulogd.log says:

Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `NFLOG'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `ULOG'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `NFCT'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `IFINDEX'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `IP2STR'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `IP2BIN'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `PRINTPKT'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `HWHDR'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `PRINTFLOW'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `MARK'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `LOGEMU'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `SYSLOG'
Sun Jun  6 16:36:02 2010 <5> ulogd.c:372 registering plugin `BASE'
Sun Jun  6 16:36:02 2010 <8> ulogd.c:1173 not even a single working
plugin stack

Re: prevent iptables LOG target from flooding dmesg

[Thanasis]

on 06/06/2010 06:03 AM Robby Workman wrote the following:
> On Sat, 05 Jun 2010 23:42:21 +0300
> Thanasis <thanasis@asyr.hopto.org> wrote:
>
>> ...
>> and dmesg is flooded by DROP log messages etc.
>> ...
>
>
>   1) Do you really *care* about most of what you're logging?
>  1a) If so, why?
>
>   2) Install ulogd and use -j ULOG instead of -j LOG.
>
> -RW
I tried ULOG with ulogd and it worked!
I just had to remove options like:
... --log-ip-options --log-tcp-options
which are not valid for ULOG, but even without them that data is there
anyway.
Thanks ;-)