How to Log Linux IPTables Firewall Dropped Packets to a Log File

To log both the incoming and outgoing dropped packets, add the following lines at the bottom of your existing iptables firewall rules.

How to read the IPTables Log

The following is a sample of the lines that was logged in the /var/log/messages when an incoming and outgoing packets was dropped.

In the above output:

• IPTables-Dropped: This is the prefix that we used in our logging by specifying –log-prefix option

• IN=em1 This indicates the interface that was used for this incoming packets. This will be empty for outgoing packets

• OUT=em1 This indicates the interface that was used for outgoing packets. This will be empty for incoming packets.

• SRC= The source ip-address from where the packet originated

• DST= The destination ip-address where the packets was sent to

• LEN= Length of the packet

• PROTO= Indicates the protocol (as you see above, the 1st line is for outgoing ICMP protocol, the 2nd line is for incoming TCP protocol)

• SPT= Indicates the source port

• DPT= Indicates the destination port. In the 2nd line above, the destination port is 443. This indicates that the incoming HTTPS packets was dropped