Home | Stats | Downloads | Scripts | Wiki

Prevent iptables from spamming your console

2015-08-14 13:41:00 by Michael 2 Comments
Tags: linux kernel iptables sysadmin netfilter

How to disable firewall "spam" on your console.

I worked on a ticket recently for a customer concerned about firewall messages being sent to every user's console by the kernel. After doing a bit of research I discovered that the nf_ct_ftp module logs messages to syslog as *emergency* level by default which results in every console being spammed by firewall messages. To prevent this you can make a few simple changes as follows.

First, set up a custom rsyslog conf file to send iptables messages to a different file.

cat << EOF > /etc/rsyslog.d/iptables.conf 
:msg, contains, "nf_ct_ftp:" -/var/log/iptables.log
& ~

The first line means send all messages that contain the “nf_ct_ftp:” string to /var/log/iptables.log. The second line causes rsyslog to discard messages that were matched on the previous line. Adjust this rule according to your needs.

Second, update sysctl.conf with the following lines and then run "sysctl -p".

kernel.printk = 4 4 1 7

sysctl -p

See https://www.kernel.org/doc/Documentation/sysctl/kernel.txt for a description of these values.

Now restart rsyslog and test your changes using the "logger" command.

service rsyslog restart
logger -p kern.emerg -t kernel "nf_ct_ftp: dropping packet test"

You should not see anything on the console. cat /var/log/iptables.log to confirm that the entry was logged properly. After you have confirmed that the messages are being logged properly you can set up logrotate to manage the logs. Create a config file to do this similar to below.

cat << EOF > /etc/logrotate.d/iptables 
	rotate 7
		invoke-rc.d rsyslog rotate > /dev/null

There is nothing else to do at this point.

Return to main page.