Logging with IPTables requires the use of an extra IPTables extension called NFLOG (https://manpages.debian.org/experimental/iptables/iptables-extensions.8.en.html#NFLOG) and a separate daemon process, called ulogd2 (https://www.netfilter.org/projects/ulogd/index.html). Ulogd2 reads out the packets sent to the above mentioned extension and stores them in local files or databases.
First, install the ulogd2 package (example is based on Debian/ Ubuntu):
apt install ulogd2
Example: log and drop packets which have an invalid state
# Log and drop all invalid packets iptables -A INPUT -m conntrack --ctstate INVALID -j NFLOG --nflog-group 123 --nflog-prefix "packet with invalid state" iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
To log all those packets to a file in JSON format, ulogd2 requires the following configuration at /etc/ulogd.conf
[global] logfile="syslog" loglevel=3 plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so" stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON [log1] group=123 [json1] sync=1 file="/var/log/ulog/netfilter_log.json"
After creating the configuration file, ensure that ulogd2 is restarted and that the directory /var/log/ulog exists
mkdir /var/log/ulog chown ulog /var/log/ulog systemctl restart ulogd2.service
Once the above created rule matches, a JSON log line will be written to disk:
tail -1 /var/log/ulog/netfilter_log.json | jq
{
"timestamp": "2022-03-30T14:46:20.527282+0200",
"dvc": "Netfilter",
"raw.pktlen": 52,
"raw.pktcount": 1,
"oob.prefix": "packet with invalid state",
"oob.time.sec": 1648644380,
"oob.time.usec": 527282,
"oob.mark": 0,
"oob.ifindex_in": 2,
"oob.hook": 1,
"raw.mac_len": 14,
"oob.family": 2,
"oob.protocol": 2048,
"raw.label": 0,
"raw.type": 1,
"raw.mac.addrlen": 6,
"ip.protocol": 6,
"ip.tos": 0,
"ip.ttl": 116,
"ip.totlen": 52,
"ip.ihl": 5,
"ip.csum": 41779,
"ip.id": 16049,
"ip.fragoff": 16384,
"src_port": 58662,
"dest_port": 445,
"tcp.seq": 3872158206,
"tcp.ackseq": 0,
"tcp.window": 8192,
"tcp.offset": 0,
"tcp.reserved": 0,
"tcp.urg": 0,
"tcp.ack": 0,
"tcp.psh": 0,
"tcp.rst": 0,
"tcp.syn": 1,
"tcp.fin": 0,
"tcp.res1": 0,
"tcp.res2": 0,
"tcp.csum": 60039,
"oob.in": "eth0",
"oob.out": "",
"src_ip": "181.122.165.177",
"dest_ip": "1.1.1.1",
"mac.saddr.str": "94:f7:ad:4f:81:fc",
"mac.daddr.str": "aa:aa:aa:aa:aa:aa",
"mac.str": "aa:aa:aa:aa:aa:aa:94:f7:ad:4f:81:fc:08:00"
}
your need to install json pugins
`sudo apt install ulogd2-json`