Configure syslog-ng to store firewall logs in a separate log file

# direct iptables logs into /var/log/firewall.log
destination iptables { file("/var/log/firewall.log"); };
filter iptables { match("^IPTABLES-"); };
log { source(src); filter(iptables); destination(iptables); };

filter noiptables { not match("^IPTABLES-"); };
log { source(src); filter(noiptables); destination(messages); };

options { 
	chain_hostnames(off); 
	sync(0); 
	stats(43200); 
};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

# direct iptables logs into /var/log/firewall.log
destination iptables { file("/var/log/firewall.log"); };
filter iptables { match("^IPTABLES-"); };
log { source(src); filter(iptables); destination(iptables); };

destination messages { file("/var/log/messages"); };
filter noiptables { not match("^IPTABLES-"); };

# by default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };

# write log records which are no iptables logs into messages
log { source(src); filter(noiptables); destination(messages); };
log { source(src); destination(console_all); };

/etc/init.d/syslog-ng restart

ipables -A INPUT -j LOG --log-prefix="IPTABLES-INPUT: " 
ipables -A OUTPUT -j LOG --log-prefix="IPTABLES-OUTPUT: " 
ipables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD: " 

#!/bin/sh

# interfaces
LOCALHOST='lo'
NET='eth0'
# bridge (on xen host)
BRIDGE='xenbr0'

# default policy
DEFAULTPOLICY='DROP'

IPTABLES=/sbin/iptables

# activate IP-Forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush all chains in the filter table (deleting rules) 
# flush all chains in the nat table (deleting rules) 
# delete every non-builtin chain (must be empty of rules) in the filter table 
# delete every non-builtin chain (must be empty of rules) in the nat table 
$IPTABLES -F -t filter 
$IPTABLES -F -t nat 
$IPTABLES -X -t filter 
$IPTABLES -X -t nat

# set the policies for the built-in chains 
$IPTABLES -P INPUT $DEFAULTPOLICY 
$IPTABLES -P FORWARD $DEFAULTPOLICY 
$IPTABLES -P OUTPUT $DEFAULTPOLICY 

# allow all for localhost
$IPTABLES -A INPUT -i $LOCALHOST -j ACCEPT 
$IPTABLES -A OUTPUT -o $LOCALHOST -j ACCEPT

# allow outgoing traffic
$IPTABLES -A OUTPUT -o $NET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# allow responses
$IPTABLES -A INPUT -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT

# OPEN PORTS
# ICMP (ping)
$IPTABLES -A INPUT -i $NET -p icmp --icmp-type destination-unreachable -j ACCEPT 
$IPTABLES -A INPUT -i $NET -p icmp --icmp-type time-exceeded -j ACCEPT 
$IPTABLES -A INPUT -i $NET -p icmp --icmp-type echo-reply -j ACCEPT 
$IPTABLES -A INPUT -i $NET -p icmp --icmp-type echo-request -j ACCEPT 
# SSH 
$IPTABLES -A INPUT -i $NET -m state --state NEW --protocol tcp --dport 22 -j ACCEPT 
# FTP 
$IPTABLES -A INPUT -i $NET -m state --state NEW --protocol tcp --dport 21 -j ACCEPT

# allow bridging (e.g. for xen hosts)
#$IPTABLES -A FORWARD -i $BRIDGE -o $BRIDGE -j ACCEPT

# keep log clean
# drop samba requests (137-139)
$IPTABLES -A INPUT -i $NET -p tcp --dport 137:139 -j DROP 
$IPTABLES -A INPUT -i $NET -p udp --dport 137:139 -j DROP 
# drop bootps requests 
$IPTABLES -I INPUT -i $NET -p tcp --dport 67:68 -j DROP 
$IPTABLES -I INPUT -i $NET -p udp --dport 67:68 -j DROP 
# drop http requests 
$IPTABLES -A INPUT -i $NET -p tcp --dport 80 -j DROP 
$IPTABLES -A INPUT -i $NET -p tcp --dport 443 -j DROP

# log the rest
$IPTABLES -A INPUT -j LOG  --log-prefix="IPTABLES-INPUT: " 
$IPTABLES -A OUTPUT -j LOG --log-prefix="IPTABLES-OUTPUT: " 
$IPTABLES -A FORWARD -j LOG  --log-prefix="IPTABLES-FORWARD: "