Iptables log forward

Question

Hi i'm testing logging iptables, so for practice i start adding some rules. My problem is with this simple rule iptables -A FORWARD -p ICMP -j LOG With this rule i was trying to log every ping inside my network, but it's only logging when the host is unreachable. When the ping is successful, doesn't log anything. The ping is always from the same host with the same set of ip rules.

I have a lan at my home with a router i made with a linux server, and a switch. What i'm trying to do is to understand iptables better. So i start making test to see what happend. The one i comment here is a ping from my pc to another pc both connect to the switch and this one to the router (linux). I use ping because it easyer to see in the logs, but i undestarnd, belive, that the same is apply for the rest of the protocols. So i ping from host A to host B, and no logs appeard in iptables that it's in the router.

Answer 1

Unless the packets are going through the device you're discussing, they won't hit the FORWARD rule.

Furthermore, in a typical switched network you won't see most packets anyway unless they are either directed at your host or are broadcast packets.

If you want to log every ping sent to or from your host, you need to use this pair of rules:

iptables -I INPUT --protocol icmp --icmp-type 8 -j LOG
iptables -I OUTPUT --protocol icmp --icmp-type 8 -j LOG

If you want the replies too, you'll need a second pair of rules for ICMP type 0. As before, I've provided two rules: one for replies returning to this host and one for replies from this host elsewhere:

iptables -I INPUT --protocol icmp --icmp-type 0 -j LOG
iptables -I OUTPUT --protocol icmp --icmp-type 0 -j LOG