iptablesのログをシスログから分離して出力

また超久々の更新になってしまった。。。

iptablesのログがsyslogに一緒に出力されて見通しが悪いので分離。

環境はDebian。

$ cat /etc/debian_version
12.10
$ uname -a
Linux tminserver 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 GNU/Linux
$ sudo iptables --version
iptables v1.8.9 (nf_tables)

■現状

現行バージョンのDebian（bookworm）から？

messagesじゃなくてsyslogになったけど、iptablesのログがひたすらsyslogに流れて、ほぼ95%がiptablesのログになってる。おかげでシステムエラー時はgrep -v enp とかしてsyslogを確認してる有り様。

なお、iptablesははるか昔にこの辺で書いたのをそのまま利用。

記述としてあっているかは・・・

t-min.hatenablog.com

■iptablesでログ出力の設定

デフォルトのlog-levelはwarningらしいが、指定することも可能。

www.asahi-net.or.jp

なんだけど、iptables -nLしてもprefixが認識されてないようなので設定を確認

INPUTでDROPがほとんどだし、ここを確認したいのにこいつにprefixがついてなかったので追加したのが最後の２行。

iptables -A INPUT -j LOG --log-level warning --log-prefix "DROP:"　★INPUTのDROPにDROP:つけてログ出力。

iptables -A FORWARD -j LOG --log-level warning --log-prefix "DROP:"　★FORWARDの（ｒｙ

これでsyslog確認して、DROP:がついて出力されてればOK

＄sudo iptables-save

で保存しておく。

$ sudo iptables -nL

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
DROP 0 -- 192.168.0.0/16 0.0.0.0/0
DROP 0 -- 172.16.0.0/12 0.0.0.0/0
DROP 0 -- 10.0.0.0/8 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20022
ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
ACCEPT 17 -- 210.158.149.0/24 0.0.0.0/0 udp spt:53
LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP:"

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
DROP 0 -- 192.168.0.0/16 0.0.0.0/0
DROP 0 -- 172.16.0.0/12 0.0.0.0/0
DROP 0 -- 10.0.0.0/8 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP:"

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68

Chain LOGGING (0 references)
target prot opt source destination
LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP:"
DROP 0 -- 0.0.0.0/0 0.0.0.0/0

これで分離の準備はOK

■rsyslogで出力先の設定

設定ファイル的には下記のこの辺

/etc/rsyslog.conf

*.*;auth,authpriv.none, -/var/log/syslog　←ここでkern.warningとなるiptablesログが含まれる

kern.* -/var/log/kern.log 　←ここでkern.warningとなるiptablesログが含まれる

ので、現状syslogとkern.logに垂れ流されると。

まずはiptables.logに出力の設定

$ suod vi /etc/rsyslog.d/iptables.conf

:msg, contains, "DROP:" /var/log/iptables.log

DROPをiptables.logに出力。

$ sudo systemctl restart rsyslog

で/var/log/iptablesができるので、適当に確認

$ sudo tail -f /var/log/iptables.log
2025-03-30T23:09:43.301815+09:00 tminserver kernel: [917184.079277] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=78.128.114.2 DST=221.118.56.200 LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=9404 PROTO=TCP SPT=51720 DPT=6176 WINDOW=1025 RES=0x00 SYN URGP=0
2025-03-30T23:09:46.824978+09:00 tminserver kernel: [917187.601438] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=216.239.38.223 DST=221.118.56.200 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=0 DF PROTO=TCP SPT=443 DPT=54072 WINDOW=0 RES=0x00 RST URGP=0
2025-03-30T23:09:46.825028+09:00 tminserver kernel: [917187.601522] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=142.250.196.106 DST=221.118.56.200 LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=0 DF PROTO=TCP SPT=443 DPT=54191 WINDOW=0 RES=0x00 RST URGP=0
2025-03-30T23:09:48.346636+09:00 tminserver kernel: [917189.124045] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=15.235.224.239 DST=221.118.56.200 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=17294 PROTO=TCP SPT=44319 DPT=3169 WINDOW=65535 RES=0x00 SYN URGP=0
2025-03-30T23:09:58.869294+09:00 tminserver kernel: [917199.646620] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=67.205.169.88 DST=221.118.56.200 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=52853 PROTO=TCP SPT=45991 DPT=88 WINDOW=65535 RES=0x00 SYN URGP=0
2025-03-30T23:09:59.680726+09:00 tminserver kernel: [917200.458046] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=134.209.13.16 DST=221.118.56.200 LEN=44 TOS=0x00 PREC=0x00 TTL=236 ID=54321 PROTO=TCP SPT=45677 DPT=100 WINDOW=65535 RES=0x00 SYN URGP=0
2025-03-30T23:10:21.329802+09:00 tminserver kernel: [917222.106926] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=206.189.95.94 DST=221.118.56.200 LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=11374 PROTO=TCP SPT=62383 DPT=23 WINDOW=59575 RES=0x00 SYN URGP=0
2025-03-30T23:10:35.912868+09:00 tminserver kernel: [917236.689867] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=20.65.194.142 DST=221.118.56.200 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=54321 PROTO=TCP SPT=48456 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0
2025-03-30T23:11:03.968122+09:00 tminserver kernel: [917264.744881] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=162.216.150.14 DST=221.118.56.200 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=49522 DPT=25000 WINDOW=65535 RES=0x00 SYN URGP=0
2025-03-30T23:11:26.224167+09:00 tminserver kernel: [917287.000730] DROP:IN=enp2s0 OUT= MAC=84:47:09:2f:a4:40:54:51:de:6a:48:2c:08:00 SRC=156.229.232.48 DST=221.118.56.200 LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=54686 PROTO=TCP SPT=45628 DPT=8888 WINDOW=1025 RES=0x00 SYN URGP=0

常時怪しい接続があるので即確認OK

次にsyslogとkern.logに出力されないように設定

#
# Log anything besides private authentication messages to a single log file
#
*.*;auth,authpriv.none,kern.!=warning -/var/log/syslog

#
# Log commonly used facilities to their own log file
#
auth,authpriv.* /var/log/auth.log
cron.* -/var/log/cron.log
kern.!=warning -/var/log/kern.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log

#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*

kern.warningでiptablesのログが出るので、!で否定。

でもこれ、warningはすべてでなくなるので、この辺大丈夫なのか・・・？

※他にwarningレベルでsyslogで確認したいログがあったら流れるよなー・・・

設定したらrsyslogのrestartで反映

$ sudo systemctl restart rsyslog

このあとtail -f /var/log/syslogとかtail -f /var/log/kern/logして出力とまってればOK

■iptablesのログローテ

ログローテはlogrotated

$ sudo vi /etc/logrotate.d.rsyslog

$ cat /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/cron.log
/var/log/iptables.log ★ここ追加
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

一応動作テスト

$ sudo logrotate -dv /etc/logrotate.d/rsyslog
warning: logrotate in debug mode does nothing except printing debug messages! Consider using verbose mode (-v) instead if this is not what you want.

reading config file /etc/logrotate.d/rsyslog
Reading state from file: /var/lib/logrotate/status
Allocating hash table for state file, size 64 entries
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state
Creating new state

Handling 1 log

rotating pattern: /var/log/syslog

/var/log/mail.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/cron.log
/var/log/iptables.log
weekly (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/syslog
Now: 2025-03-30 23:20
Last rotated at 2025-03-30 00:00
log does not need rotating (log has been rotated at 2025-03-30 00:00, which is less than a week ago)
considering log /var/log/mail.log
Now: 2025-03-30 23:20
Last rotated at 2025-03-30 00:00
log does not need rotating (log has been rotated at 2025-03-30 00:00, which is less than a week ago)
considering log /var/log/kern.log
Now: 2025-03-30 23:20
Last rotated at 2025-03-30 00:00
log does not need rotating (log has been rotated at 2025-03-30 00:00, which is less than a week ago)
considering log /var/log/auth.log
Now: 2025-03-30 23:20
Last rotated at 2025-03-30 00:00
log does not need rotating (log has been rotated at 2025-03-30 00:00, which is less than a week ago)
considering log /var/log/user.log
Now: 2025-03-30 23:20
Last rotated at 2024-12-01 00:00
log does not need rotating (log is empty)
considering log /var/log/cron.log
Now: 2025-03-30 23:20
Last rotated at 2025-03-30 00:00
log does not need rotating (log has been rotated at 2025-03-30 00:00, which is less than a week ago)
considering log /var/log/iptables.log
Creating new state
Now: 2025-03-30 23:20
Last rotated at 2025-03-30 23:00
log does not need rotating (log has already been rotated)
not running postrotate script, since no logs were rotated

まだローテタイミングじゃないよって言われてるけど認識的には多分大丈夫。

1W後に確認するか・・・

これでsyslogの見通しが良くなりました！！

技術者になりたい何か

技術者になりたい何かの覚書的な何かです

iptablesのログをシスログから分離して出力

■現状

■iptablesでログ出力の設定

■rsyslogで出力先の設定

■iptablesのログローテ