1. First,add a new chain with a reasonable name:
iptables -N LOGGING
2. Next,insert a rule at the appropriate point (hence me using --line-numbers
above). You could replace the existing REJECT
at line 5 in its entirety as its functionality will be moved into the LOGGING
chain (where I change it to a DROP
anyway):
iptables -I INPUT 5 -j LOGGING
3. Add the actual logging rule next
iptables -A LOGGING -j LOG --log-prefix "DROP: " --log-level 7
iptables -A LOGGING -j DROP
service iptables save
service iptables restart
4. vi /etc/rsyslog.conf
kern.debug/var/log/iptables.log
service rsyslog restart
5. vi /etc/logrotate.d/syslog
add /var/log/iptables.log to list of filenames