iptables做爲經典的軟件防火牆你們已經很熟悉了,不過各位應該比較少會使用到log日誌記錄保存的功能。此次由於Ngnix stream模塊的編譯和獲取realip(ngx_http_realip_module / ngx_stream_realip_module)的方案改動成本太高,退而求其次的方式是經過iptables作轉發,須要解決的問題就是如何保存日誌和按時間rotate。本來計劃使用Filebeat直接接入EFK但由於某些緣由暫時擱淺了,最後選擇比較簡單的rsyslog在本地服務器上作處理。html
使用rsyslog單獨保存iptables log日誌實踐
2019年05月09日 - 初稿linux
閱讀原文 - https://wsgzao.github.io/post...git
擴展閱讀github
rsyslog - https://www.rsyslog.com/guides/
How to Enable Logging in Iptables on Linux - https://tecadmin.net/enable-l...vim
How to configure syslog to log the iptables messages to a different log file in Red Hat Enterprise Linux 5/6/7
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
syslogbash
# Make a backup of /etc/syslog.conf before making any changes to it. cp /etc/syslog.conf /etc/syslog.conf.bak # Edit /etc/syslog.conf with an editor such as vi and add lines: # comment iptables log kern.warning /var/log/iptables # Make sure the iptables rule is logging at the appropriate level. This can be done by using the log-level switch. Default log-level is warning. # Below example will log ssh attempts: iptables -I INPUT -p tcp --dport 22 -j LOG --log-level 4 # Note: Log Levels can be found using command: man syslog # Note: Consider adding a prefix to your iptables rule. This makes it easier to separate the firewall message from the few random messages that the kernel puts out. # Below example use to log ping and add the prefix "#### Firewall ####". iptables -I INPUT -p icmp --icmp-type ping -j LOG --log-prefix "#### Firewall ####" # Note:- Follow below steps if iptables print all the logs on the console:- # Step1:- Add below entry in /etc/sysctl.conf kernel.printk = 4 1 1 7 # Step2:- Run below command to make changes effectively at runtime. /sbin/sysctl -p /etc/sysctl.conf # Step3:- Check the changes at below file. cat /proc/sys/kernel/printk
# 修改防火牆NAT表中的PREROUTING和POSTROUTING鏈,添加自定義log-prefix vim /etc/sysconfig/iptables *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -d <IP> --dport 443 -j LOG --log-prefix seatalk: -A PREROUTING -p tcp -d <IP> --dport 443 -j DNAT --to-destination 10.71.19.142:443 -A POSTROUTING -j MASQUERADE COMMIT # 重啓iptables service iptables reload
rsyslog 是一個 syslogd 的多線程加強版。如今 Fedora 和 Ubuntu, rhel6 默認的日誌系統都是 rsyslog 了。服務器
rsyslog 負責寫入日誌,logrotate 負責備份和刪除舊日誌,以及更新日誌文件多線程
# 建立iptables日誌目錄 mkdir -p /var/log/iptables/ # 編輯rsyslog.conf vim /etc/rsyslog.conf # Save iptables log kern.warning /var/log/iptables/iptables.log # 重啓rsyslog service rsyslog restart
rotate 輪換,日誌切換app
logrotate 是一個日誌管理程序,用來把舊的日誌文件刪除(備份),並建立新的日誌文件,這個過程稱爲 "轉儲"。咱們能夠根據日誌的大小,或者根據其使用的天數來轉儲。dom
# 添加iptables log rotate策略 vim /etc/logrotate.d/iptables /var/log/iptables/iptables.log { daily rotate 7 compress delaycompress missingok notifempty create 0664 root root } # 重啓rsyslog service rsyslog restart # 這篇文章有更多實例 rsyslog 和 logrotate 服務 - http://xstarcd.github.io/wiki/Linux/rsyslog_logrotate.html
若是條件容許建議直接採用EFK一步到位
cd /var/log/iptables iptables.log iptables.log-20190512.gz iptables.log-20190513 cat iptables.log May 14 15:08:35 <localhost> kernel: IN=em1 OUT= MAC=14:18:77:28:56:59:a0:f8:49:5f:b2:c3:08:00 SRC=<IP> DST=<IP> LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43701 DF PROTO=TCP SPT=4150 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 May 14 15:09:00 <localhost> kernel: IN=em1 OUT= MAC=14:18:77:28:56:59:00:f8:2c:91:79:43:08:00 SRC=<IP> DST=<IP> LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=31497 DF PROTO=TCP SPT=43586 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0