Chris Fearnley on Thu, 8 May 2003 16:49:21 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] solution: how to keep iptables from spamming the console


Jon and others,

The solutions to the iptables question raised at the meeting last night
is in the man page for iptables(8):

LOG
       Turn  on  kernel  logging of matching packets.  When this option is
       set for a rule, the Linux kernel will print some information on all
       matching  packets  (like  most IP header fields) via the kernel log
       (where it can be read with dmesg or syslogd(8)).  This is  a "non-
       terminating  target",  i.e.  rule  traversal  continues at the next
       rule.  So if you want to LOG the packets you refuse, use two sepa­
       rate rules with the same matching criterias, first using target LOG
       then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

So on your systems that don't log to the console something like the
following must be setup:

LOG_LEVEL=7

iptables -t filter -A tcprules -i eth0 -s 10.0.0.0/8 \
         -j LOG --log-level ${LOG_LEVEL}

If you search in the script for --log-level, you may discover the name
of the variable that can be configured to turn logging off the console.
7 (debug) should keep messages in the logs, but off the console.

-- 
Christopher J. Fearnley     |   LinuxForce Inc.
cjf@LinuxForce.net          |   Chief Technology Officer
http://www.LinuxForce.net   |   Software Solutions / Systems Management
_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug