On Thu, 08.07.04, Gavin Hamill <gdh@xxxxxxxxxxxxxx> wrote: > > And I had the following rule: > > Iptables -A FORWARD -j LOG > > > > It seems that all connections is logged so it is very difficult to read the > > log. > > Firstly, do you actually have DROP statements in your ruleset? If so, the LOG > statement should appear JUST BEFORE the block of DROP statements. Since > ACCEPT or DROP are one-way-streets for packets, you want to LOG just before > they get DROPped, but not log any of the ACCEPTed packets. A very good way to do this is via a special chain "logdrop" iptables -N logdrop iptables -A logdrop -j LOG --log-prefix ' log drop ' iptables -A logdrop -j DROP And then you replace every -j DROP (that you want logged) with -j logdrop. I think this is mentioned in a part of the netfilter docs. hth, Nils
