Linux Iptables Firewall: Log IP or TCP Packet Header

Posted on in Categories Howto, Iptables, Linux, Networking, Security last updated January 9, 2008

Iptables provides the option to log both IP and TCP headers in a log file. This is useful to:
=> Detect Attacks

=> Analyze IP / TCP Headers

=> Troubleshoot Problems

=> Intrusion Detection

=> Iptables Log Analysis

=> Use 3rd party application such as PSAD (a tool to detect port scans and other suspicious traffic)

=> Use as education tool to understand TCP / IP header formats etc.

How do I turn on Logging IP Packet Header Options?

Add the following command to your iptables script beo:

iptables -A INPUT -j LOG --log-ip-options
iptables -A INPUT -j DROP

How do I turn on Logging TCP Packet Header Options?

Add the following command to your iptables script:

iptables -A INPUT -j LOG --log-tcp-options
iptables -A INPUT -j DROP

You may need to add additional filtering criteria such as source and destination ports/IP-address and other connection tracking features. To see IP / TCP header use tail -f or grep command:
# tail -f /var/log/messages

Recommended readings:

Force iptables to log messages to a different log file

Posted on in Categories Iptables, Linux, Monitoring, Security last updated February 23, 2008

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC= DST= TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address to your /var/log/iptables.log file:
iptables -A INPUT -s -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s -j DROP


  • –log-level 4: Level of logging. The level # 4 is for warning.
  • –log-prefix ‘*** TEXT ***’: Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Updated for accuracy.

Linux Iptables open Bittorrent tcp ports 6881 to 6889

Posted on in Categories CentOS, Debian Linux, Howto, Iptables, Linux, Linux desktop, Networking, RedHat/Fedora Linux, Security, Shell scripting, Suse Linux, Ubuntu Linux last updated January 8, 2008

I already wrote about Linux command line bittorrent client. However, I received few more queries regarding firewall issues. Basically you need to open ports using iptables.

Bittorrent client by default uses tcp 6881 to 6889 ports only. In order to work with Bittorrent client you need to open these ports on firewall. Remember, if you are behind a firewall (hardware or software) you need to enable port forwarding to internal systems.

Scenario # 1: Windows or Linux desktop behind router firewall

Internet ->     Hardware Router    -> Your Linux Desktop
          with port forwarding          Client

You have router (ADSL/DSL/Cable modem+router) and you have already enabled port forwarding on router (open web browser > Open router web admin interface > Find port forwarding > Enable port forwarding for bittorent protocol). You also need to open port using following iptables rules on Linux desktop (open TCP port 6881 to 6999):

iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT

Here is a complete sample firewall script:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow bittorent incomming client request
iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT

#Uncomment below to allow sshd incoming client request
#iptables -A INPUT -p tcp -dport 22 -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Scenario # 2

Internet -> Linux computer Router  ->  Your Linux Desktop
         with port forwarding      OR Windows XP client
         enabled using IPTABLES       IP:

Here you are using a Linux as software firewall and iptables as your NAT (firewall) for internal network ( You need to enable port forwarding to a internal Linux desktop (may be Windows XP desktop) for BitTorrent client system. Add following two line of code to your existing NAT firewall script.

iptables -t nat -A PREROUTING -p tcp --dport 6881:6889
-j DNAT --to-destination

iptables -A FORWARD -s -p tcp --dport 6881:6889

Related: Linux Command line BitTorrent client