as Andrea described there is an easy way to force iptables to log into its own logfile. I’d like to sum it up in this post.

you need to change all your log-prefixes to have a unique keyword, e.g. netfilter as I do in the following example.

iptables -A INPUT -j LOG --log-prefix "netfilter in: "

afterwards just add some filter conditions for rsyslogd. place a file called 10-iptables.conf into /etc/rsyslog.d/ with the following content.

:msg, contains, "netfilter"	/var/log/iptables.log
:msg, contains, "netfilter"	~

both lines match on every log message containing netfilter, but first line writes it to /var/log/iptables.log and second line drops it to avoid further processing.

a good idea will be to enable logrotating that you’ll not got fucked up by a full /var-filesystem. just copy paste rsyslogs logrotating config. place a file called iptables into /etc/logrotate.d/ with the following content.

/var/log/iptables.log
{
	rotate 4
	weekly
	missingok
	notifempty
	compress
	delaycompress
	sharedscripts
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
	endscript
}