another way to logging using audit records sent to the service auditd
Action
accept [limit value=”rate/duration”] | reject [type=”reject type] [limit value=”rate/duration”] | drop [limit value=”rate/duration”] | mark set=”mark[/mask]” [limite value=”rate/duration”]
带有标记的所有数据包将在标记表中的标记和掩码组合中标记在 mangle 表的 PREROUTING 链中。For valid reject types see –reject-with type in iptables-extensions(8) man page
Examples
These are examples of how to specify rich language rules. This format (i.e. one string that specifies whole rule) uses for example firewall-cmd –add-rich-rule (see firewall-cmd(1)) as well as D-Bus interface.
Example 1 Enable new IPv4 and IPv6 connections for protocol ‘ah’
rule protocol value="ah" accept
Example 2 Allow new IPv4 and IPv6 connections for service ftp and log 1 per minute using audit
rule service name="ftp" log limit value="1/m" audit accept
Example 3 Allow new IPv4 connections from address 192.168.0.0/24 for service tftp and log 1 per minutes using syslog
Example 4 New IPv6 connections from 1:2:3:4:6:: to service radius are all rejected and logged at a rate of 3 per minute. New IPv6 connections from other sources are accepted.
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject rule family="ipv6" service name="radius" accept
Example 5 Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012