log traffic with iptables
06 Aug, 2015
Recently I had to Log nated traffic in PREROUTING chain on CentOS7 , is still impossible in firewalld !!!! :-(
So I switched back to iptables firewall, which is still possible in CentOS7, I hope RHEL8 will have a better firewalling solution.
The idea of firewalld is ok, but firewalld brings more limitations than features.
How to switch back to iptables:
yum remove firewalld
yum install iptables-services iptables
systemctl enable iptables
systemctl restart iptables
And finally here is the way to log the chains you need:
vi /etc/sysconfig/iptables
*nat
-A PREROUTING -m limit --limit 1/sec --limit-burst 7 -j LOG --log-prefix "[IPTABLES PREROUTING "
# do not nat apache traffic
-A PREROUTING -s 10.8.0.0/16 -d 10.0.40.10/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.40.10:80
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.40.10:3128
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.40.10:3128
-A PREROUTING -s 10.8.0.0/16 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.40.10:3129
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m limit --limit 1/s --limit-burst 7 -j LOG --log-prefix "[IPTABLES INPUT "
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#http transparent
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
#https transparent
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3129 -j ACCEPT
#classic proxy
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m limit --limit 1/sec --limit-burst 7 -j LOG --log-prefix "[IPTABLES FORWARD "
-A FORWARD -j REJECT --reject-with icmp-host-prohibited