record contents of packets dropped in iptables
5,044
The NFLOG target can be used for this purpose. Here is a very basic example:
# Drop traffic by default
iptables -P INPUT DROP
# add your whitelists here
# iptables -A INPUT ...
# Pass the packets to NFLOG (just like LOG, but instead of syslog,
# it uses netlink). You can add extra filters such as '-p tcp' as usual
iptables -A INPUT -j NFLOG
# packets that get here will now be dropped per INPUT policy
# Finally you can use tcpdump to capture from this interface (there
# can only be one active user of nflog AFAIK)
tcpdump -i nflog ...
Refer to the iptables-extensions manual page for a description of the NFLOG target.
Related videos on Youtube
![IPTABLES [PART-1] : "UNDERSTANDING THE CONCEPT"](https://i.ytimg.com/vi/vbhr4csDeI4/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBovKYd5heeT0eQFP4enqBJ_GCa1Q)
07 : 53
IPTABLES [PART-1] : "UNDERSTANDING THE CONCEPT"
02 : 16
Unix & Linux: How can Wireshark see packets dropped by iptables?
01 : 40
Unix & Linux: Log the dropped packets by IPTables only if its DROPPED by a specific rule
01 : 49
record contents of packets dropped in iptables
01 : 44
How to capture "DROP"ped packets on OUTPUT of iptables?
Author by
OneCheapDrunk
Updated on September 18, 2022Comments
-
OneCheapDrunk almost 2 years
I'm trying to find a way to record the entire contents of packets (possibly with tcpdump) that have been dropped according to rules in iptables.
At present, I have a rule to log these packets (with a log prefix), then follow this with a rule to drop them.
Is there a way to record the contents of those packets for review afterwards?
So, I'm looking for this:
- A rule that logs the matching packet
- A rule that passes the packet to a new target that records its contents (maybe QUEUE target?)
- A rule that drops the packet
2 & 3 may even be combined.
My understanding is that tcpdump may not be able to do this as it examines packets before iptables and therefore will not record just the dropped packets.
Thanks.