BestHub
Sign in
Operations 7 min read

How to Log Dropped iptables Packets for Input and Output Traffic

Learn step‑by‑step how to configure iptables to log all dropped inbound and outbound packets to syslog, including creating a LOGGING chain, setting rate limits, customizing log prefixes, directing logs to a specific file, and interpreting the resulting log entries.

Raymond Ops
Raymond Ops
Raymond Ops
How to Log Dropped iptables Packets for Input and Output Traffic

Abstract: This article explains how to log dropped firewall packets in iptables for both inbound and outbound traffic.

Record all dropped input packets

First, create a LOGGING chain and direct all remaining INPUT packets to it, then log and drop them.

<code>iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP</code>

The commands perform the following actions:

Create a new chain named LOGGING.

Append a rule to INPUT that jumps to LOGGING.

Log the packet to syslog (/var/log/messages) with a rate limit.

Drop the packet after logging.

Record all dropped output packets

Similar to the input case, but use the OUTPUT chain.

<code>iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP</code>

Record all dropped packets (both input and output)

Add rules for both INPUT and OUTPUT to jump to the LOGGING chain.

<code>iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP</code>

By default, iptables logs to

/var/log/messages

. To change the log file, add a line to

/etc/syslog.conf

:

<code>kern.warning /var/log/custom.log</code>

How to read iptables logs

Example log entries for dropped inbound and outbound packets:

<code>Aug 4 13:22:40 centos kernel: IPTables-Dropped: IN=OUT=em1 SRC=192.168.1.23 DST=192.168.1.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59228 SEQ=2
Aug 4 13:23:00 centos kernel: IPTables-Dropped: IN=em1 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=192.168.2.115 DST=192.168.1.23 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0</code>

The log fields mean:

IPTables-Dropped : Prefix defined by

--log-prefix

.

IN and OUT : Network interfaces for inbound and outbound packets.

SRC and DST : Source and destination IP addresses.

LEN : Packet length.

PROTO : Protocol (e.g., ICMP, TCP).

SPT and DPT : Source and destination ports.

firewallnetwork troubleshootingLinuxloggingiptablessyslog
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment