0

I have setuped my RPI following the post Sharing the Pi's WiFi connection through the Ethernet port

I want to be able to have to source ip, source port, source mac, dest ip, dest port logged by iptables

I already add the command : iptables -A FORWARD -p tcp --syn -j LOG --log-prefix "iptables: "

and create a rule for syslog touch /etc/rsyslog.d/10-iptables.conf nano /etc/rsyslog.d/10-iptables.conf :msg, contains, "iptables: " -/var/log/iptables.log & ~

but my /var/log/iptables.log is still empty thx in advance

nicolas bergmann
  • 1
  • I don't think rsyslog is running by default on Raspbian. If you are sure it is, edit in `/etc/rsyslog.conf` (it sounds like you are just using the stock version), and `/etc/systemd/journald.conf` (there is a relationship between them as the log stream is provided by journald). – goldilocks Dec 17 '19 at 14:37
  • rsyslog is enabled by default on Raspbian Buster, which I assume @nicolas is running. I'd suggest taking a simpler approach and first getting the iptables logging working into /var/log/messages.OP didn't indicate that the iptables logging is actually working, so focus on that first, then can work on getting it into a separate log file, if desired. Personally, I like everything in the single system logfile, and use grep or other mechanism to find what I'm looking for. – bls Dec 17 '19 at 16:06

1 Answers1

0

create a rule for syslog touch /etc/rsyslog.d/10-iptables.conf nano /etc/rsyslog.d/10-iptables.conf :msg, contains, "iptables: " -/var/log/iptables.log & ~

Instead try:

module (
        load="builtin:omfile"
        template="RSYSLOG_TraditionalFileFormat"
)

if $programname == 'kernel' then {
        if $msg contains 'iptables:'
        then {
                action (type="omfile" file="/var/log/iptables.log" sync="off")
                & stop
        }
}
goldilocks
  • 56,430
  • 17
  • 109
  • 217