Redirecting IPtables Firewall Logging Location

Since Syslog and Messages files log random system events, hence, Redirecting IPtables Firewall Logging Location to its own file is better option. IPtables Logging redirection and Persistent rules would be the last thing to finalize IPtables Setup. Log rules will redirect IPtables default logging location from /var/log/syslog (Under Debian Based) and /var/log/messages (Under Red Hat Based) to it’s own logging file located at /var/log/iptables.log.

Objectives:

1. Redirecting IPtables Logging Location

2. Red Hat Based – IPtables Rules Persistent

3. Red Hat Based – IPtables Rules Persistent

4. Disallow Pinging your VPS from Outside

Prerequisites:

A. Basic Debian or Red Hat System Knowledge

B. Login to your DigitalOcean or Vultr Account

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Redirecting IPtables Logging Location

Run the following steps (1 to 6)

IPtables default logging location is either kern.log, syslog, or messages files. I recommend to create its own logging file.

1. Create iptables.conf under /etc/rsyslog.d/

nano /etc/rsyslog.d/iptables.conf

Copy and paste below log settings inside iptables.conf

#!/bin/bash
# IPtables LOGGING RULES #

# The script uses log level 7 across all log events
# Log Specific IPtables Events which contains "IPT " or "IP6 "
 :msg,contains,"IPT " -/var/log/iptables.log
 :msg,contains,"IP6 " -/var/log/iptables.log
 :msg,contains,"IPT " ~
 :msg,contains,"IP6 " ~
#log everything else to /var/log/iptables.log
kern.=debug             /var/log/iptables.log
# "~" or "stop" prevent log lines from application iptables to be processed by any other filters
& stop # prevent log lines from application iptables to be processed by any other filters

Note: Using older versions of rsyslog, you may have to replace the word stop on the last line with the ~ character; on newer version of Debian, Ubuntu, CentOS the ~ character as a stop indicator has been deprecated and will cause warning messages when (re)starting the rsyslog service. For now I am using stop value instead of ~ character.

Save: Ctrl-X, Hit Y Key, and Enter

2. Create a log rotate iptables file under /etc/logrotate.d/

nano /etc/logrotate.d/iptables

Copy and past the following code inside iptables file

#!/bin/bash
/var/log/iptables.log
 {
 rotate 10
 monthly
 missingok
 notifempty
 compress
 delaycompress
 sharedscripts
 postrotate
 invoke-rc.d rsyslog reload >/dev/null 2>&1 || true
 endscript
 }

Save: Ctrl-X, Hit Y Key, and Enter

3. Restart Rsyslog Service

service rsyslog restart

Verify IPtables Log Rotation

Note: If you still don’t see iptables.log file yet, wait few minutes till IPtables generate some logging. To generate some logging, open another SSH session. You should see iptables.log created among the log files under /var/log directory:

4. View logging location

ls -lah /var/log/ | grep iptables

The log shoud be created as shown below.

[...]
-rw-r-----  1 root   adm     0 Mar  9 21:34 iptables.log
[...]

5. Run the Log Rotation Manually

Log rotation will happens automatically, but for testing purpose you can run the command manually, however, wait few more minutes before running the command.

logrotate -vf /etc/logrotate.d/iptables

Optional – To rotate all log files, run the following command.

logrotate -vf /etc/logrotate.conf

6. View IPtables Logs Again

ls -lah /var/log/ | grep iptables

[...]
-rw-r-----  1 root   adm  2.7K Mar 10 09:43 iptables.log
-rw-r-----  1 root   adm  415K Mar 10 09:43 iptables.log.1
[...]

As you probably noticed, *.log.1 indicates that the file has been rotated and new file created. After certain number of weeks, iptables.log file will be rotated few times and later on the old logs will be deleted as stated under /etc/logrotate.d/iptables.

Debian Based – IPtables Rules Persistent

WARNING!!! As of this writing and testing on DigitalOcean, IPtables Rules Persistent at the startup disabled the public interface. A conflict is happening some where. Using only IPtables Script at the startup is just fine and you don’t need IPtables persistent rules as shown below.

Note: Step 3 below to restore the IPtables rules at startup is disabled by default, however, you can set step 1 and 2 to save the rules to a file if the system rebooted.

Run the following steps (1 to 8)

1. Create IPtables Save File

nano /etc/network/if-post-down.d/iptables

Paste the following:

#!/bin/bash
# IPtables Save Rules
iptables-save > /etc/network/iptables.rules
ip6tables-save > /etc/network/ip6tables.rules

Save: Ctrl-X, Hit Y Key, and Enter

2. Apply Execution Permission

chmod +x /etc/network/if-down.d/iptables

3. Create IPtables Restore File

nano /etc/network/if-up.d/iptables

Paste the following:

#!/bin/bash
# IPtables Restore Rules
#iptables-restore < /etc/network/iptables.rules
#ip6tables-restore < /etc/network/ip6tables.rules

Save: Ctrl-X, Hit Y Key, and Enter

As you can see, when you restart the VPS, persistence will save iptables rules under /etc/network for IPv4 and IPv6 respectively, and restore them at the startup.

4. Apply Execution Permission

chmod +x /etc/network/if-up.d/iptables

Red Hat Based – IPtables Rules Persistent

These are optional steps since IPtables Script will run at the startup, but if you still like to set IPtables Rules Persistent, here are the steps for you.

Run the following steps (1 to 5)

1. Save IPtables Firewall Rules

/sbin/service iptables save

You should see the following output:

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

2. Save IP6tables Firewall Rules

/sbin/service ip6tables save

You should see the following output:

ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[  OK  ]

3. Verify IPtables Saving

IPtables should be saved under /etc/sysconfig/ folder

cat  /etc/sysconfig/iptables

And

cat /etc/sysconfig/ip6tables

4. Edit IPtables Script

nano /etc/network/iptables/iptfw4and6-single-node.sh

Add the following IPtables saving commands at the end of the IPtables Script right before “exit 0”.

# IPtables Saving Commands
/sbin/service iptables save

# IP6tables Saving Commands
/sbin/service ip6tables save

exit 0

5. Reapply IPtables Script

/etc/network/iptables/iptfw4and6-single-node.sh

You will notice the saving output at the end.

[...]
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
ip6tables: Saving firewall rules to /etc/sysconfig/ip6table[  OK  ]

Disallow Pinging your VPS from Outside

There are 2 methods to disallow pinging your VPS:

• IPtables Rules
• Kernel Rules

A. Disallow Pinging using IPtables Rules

Run the following steps (1 to 2)

1. Edit IPtables Firewall Script

nano /etc/network/iptables/iptfw4and6-single-node.sh

Ctrl-w and search for “Authorize Pinging“, don’t copy the quotes.

To disallow pinging at the public interface, comment the following lines as shown below:

# Authorize Pinging with Limit Protection

# Allow Incoming pinging through Public Interface
#$IPT -A INPUT -i $PUB_IF -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMP echo." -j ACCEPT
#$IP6 -A INPUT -i $PUB_IF -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 1/s -m comment --comment "Accept ICMP echo." -j ACCEPT

Save: Ctrl-X, Hit Y Key, and Enter

2. Reapply IPtables Firewall Script

/etc/network/iptables/iptfw4and6-single-node.sh

B. Disallow Pining using Kernel Rules

Note: Using IPtables, will disallow pining from specific interface such Public Interface, but using Kernel Rules, will disable incoming pinging into all interface cards. As single VPS, it should be fine if you like to disable pinging into all interface cards. However, if I have Multiple VPS instances and I am using Private Network, I would use IPtables instead to disable pinging only into Public Interface.

Run the following steps (1 to 2)

1. Edit Kernel Rules Script

nano /etc/network/iptables/kernel-hardening-rules.sh

Press Ctrl-w and Search for Ping. Flip 1 to 0 as shown below:

# Disable Globally Ping Response from Public or Private Networks.
$SYSCTL net.ipv4.icmp_echo_ignore_all=1

Save: Ctrl-X, Hit Y Key, and Enter

2. Re-apply Kernel Rules

/etc/network/iptables/kernel-hardening-rules.sh

Allow Pinging Again

Note: Remember the following when dealing with kernel rules:

0 (zero)  -> Rule Disabled / OFF
1 (one)   -> Rule Enabled / ON

Edit kernel-hardening-rules.sh again and flip 1 to 0:

# Disable Globally Ping Response from Public or Private Networks.
$SYSCTL net.ipv4.icmp_echo_ignore_all=0

Then, run Only this specific Kernel Rule

sysctl net.ipv4.icmp_echo_ignore_all=0

By Linux IPtables Firewall by Arch | Debian IPtables Firewall | CentOS IPtables Firewall

Subject Related