Share this post:
Accepted AnswerNick HowittOnlineAll you need to do is add a source subnet to any logging rule you've seen. Something like:
I would only log new packets as logging everything is pretty pointless to me unless you want to try and quantify the amount of traffic. There seems to be little point in logging the return packets as well.
$IPTABLES -I FORWARD -m conntrack --ctstate NEW -s your_lan_subnet -j LOG
You can optionally add a log message which you can then trap with an rsyslog filter. Check the "man iptables" pages.
If I ever do logging, I split the log messages out from the messages log with an rsyslogd filter, /etc/rsyslog.d/firewall.conf:
This is a bit of a kludge. If you log with a message you could filter on that instead.
# Split out Firewall messages
if $programname == 'kernel' and $msg contains 'IN=' and $msg contains 'OUT=' then -/var/log/firewall
Then I add a logrotate function to make the logs rotate, /etc/logrotate.d/firewall:
# rotate the firewall log
create 0664 root root