Firewall Log Format

This log stores information about dropped packets from the iptables firewall. For various reasons (intentional and/or unintentional) iptables might drop a particular packet. If this happens, the event's information is logged to firewall.log. From each log entry, you can find the incoming interface, the outgoing interface, the source address, and other information related to the packet that was dropped. The format of firewall log files is as follows:

<date_utc> <hostname> kernel: IPTABLES <event>: <message>

Field definitions:

Example:

Mar 19 18:49:32 myjwas kernel: IPTABLES Dropped: IN=eth0 OUT= MAC=00:0c:29:cf:4d:c8:2c:21:72:c6:99:08:08:00 SRC=10.10.0.117 DST=10.20.0.53 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=51749 DF PROTO=TCP SPT=51093 DPT=5000 WINDOW=0 RES=0x00 RST URGP=0 Mar 19 20:56:59 myjwas kernel: IPTABLES Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:29:0f:48:ec:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=337 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=317 Mar 20 11:03:24 myjwas kernel: IPTABLES Dropped: IN=eth0 OUT= MAC=00:0c:29:cf:4d:c8:2c:21:72:c6:99:08:08:00 SRC=10.10.0.17 DST=10.20.0.53 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=18544 DF PROTO=TCP SPT=53543 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 Mar 20 11:03:25 myjwas kernel: IPTABLES Dropped: IN=eth0 OUT= MAC=00:0c:29:cf:4d:c8:2c:21:72:c6:99:08:08:00 SRC=10.10.0.17 DST=10.20.0.53 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=18545 DF PROTO=TCP SPT=53544 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 Mar 20 11:03:27 myjwas kernel: IPTABLES Dropped: IN=eth0 OUT= MAC=00:0c:29:cf:4d:c8:2c:21:72:c6:99:08:08:00 SRC=10.10.0.17 DST=10.20.0.53 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=18561 DF PROTO=TCP SPT=53543 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0

Related Documentation