Dashboard
Level 1
0 / 100 XP

Analyzing Dropped Traffic Logs in Linux

In this lesson, you will learn how to configure logging for dropped traffic with iptables. We'll start by installing the nginx package, which is an easy web server which only requires one command to start, then you'll configure your logging rules, next you'll generate traffic that will get blocked be iptables, then we'll allow the traffic in iptables so you can access the nginx web server from your host computer.

Step 1: Configure logging (if you haven't already)

In the best practices lesson, we briefly mentioned that you should be logging all dropped traffic. You can quickly tell if iptables is configured to log by running the iptables -L command and looking for an entry like so on bot INPUT AND OUTPUT chains:

Text
target prot opt source destination LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "iptables INPUT dropped: "

If you don't see output like that, you can add those rules here:

Bash
sudo iptables -A INPUT -m limit --limit 10/min -j LOG --log-prefix "iptables INPUT dropped: " sudo iptables -A FORWARD -m limit --limit 10/min -j LOG --log-prefix "iptables FORWARD dropped: " sudo iptables -A OUTPUT -m limit --limit 10/min -j LOG --log-prefix "iptables OUTPUT: "

Step 2: Installing Nginx on Ubuntu Server

First, install Nginx on your Ubuntu Server VM. Nginx is a popular web server that can serve web pages to clients.

Bash
# Install NGINX sudo apt install nginx # Configure to start automatically on boot sudo systemctl enable nginx sudo systemctl start nginx

After the installation, ensure that Nginx is running:

systemctl status nginx

Before we move on to the next steps which will be completed on our host computer, let's start tailing our iptables logs which (on Ubuntu), will be located in /var/log/syslog:

sudo tail -f /var/log/syslog |…