|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] solution: how to keep iptables from spamming the console
|
Jon and others,
The solutions to the iptables question raised at the meeting last night
is in the man page for iptables(8):
LOG
Turn on kernel logging of matching packets. When this option is
set for a rule, the Linux kernel will print some information on all
matching packets (like most IP header fields) via the kernel log
(where it can be read with dmesg or syslogd(8)). This is a "non-
terminating target", i.e. rule traversal continues at the next
rule. So if you want to LOG the packets you refuse, use two sepa
rate rules with the same matching criterias, first using target LOG
then DROP (or REJECT).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
So on your systems that don't log to the console something like the
following must be setup:
LOG_LEVEL=7
iptables -t filter -A tcprules -i eth0 -s 10.0.0.0/8 \
-j LOG --log-level ${LOG_LEVEL}
If you search in the script for --log-level, you may discover the name
of the variable that can be configured to turn logging off the console.
7 (debug) should keep messages in the logs, but off the console.
--
Christopher J. Fearnley | LinuxForce Inc.
cjf@LinuxForce.net | Chief Technology Officer
http://www.LinuxForce.net | Software Solutions / Systems Management
_________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|