Re: logging iptables

To: Lars Roland Kristiansen <m00lrk@math.ku.dk>
Cc: Debian-security@lists.debian.org
Subject: Re: logging iptables
From: Jean-Francois Dive <jef@linuxbe.org>
Date: Mon, 22 Apr 2002 08:14:45 +1000
Message-id: <[🔎] 20020421221445.GA494@gnoll.homeip.net>
In-reply-to: <[🔎] Pine.OSF.4.21.0204212347500.30705-100000@gram.math.ku.dk>
References: <[🔎] Pine.OSF.4.21.0204212347500.30705-100000@gram.math.ku.dk>

Hi,

As from the man:

LOG:
	This is a "non-terminating target",
       i.e. rule traversal continues at the next rule.  So if you
       want to LOG the packets you refuse, use two separate rules
       with  the  same matching criterias, first using target LOG
       then DROP (or REJECT).

So, simply insert a rule which match the traffic you accept, before you accept
it.

An advice: you accpt any packet with destination port matching your services.
You should only accpet the --state NEW packets; -s 0/0 is useless, use -m limit
is quite usefull too, and finally, if you want to have stats on a per protocol
basis, you should use a separate line for each proto and use the counters
associated with each rule. 


iptables -P INPUT DROP
iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 22,25,110,113 -i eth0 -m limit -j LOG --log-prefix "ACCEPTED:"
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 25 -i eth0 -j ACCEPT
..
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit -j LOG --log-prefix "DROPED"


Hope that help,

JeF

On Sun, Apr 21, 2002 at 11:54:06PM +0200, Lars Roland Kristiansen wrote:
> Hi i have a fairly simple iptables script that blocks all except from port
> 22, 25, 110 and 113. it looks like this
> 
> ---------------------------------------------------------------------------
> iptables -P INPUT DROP
> 
> iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 22,25,110,113 -i eth0
> -j ACCEPT
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ----------------------------------------------------------------------------
> 
> is there an easy way to set up logging so i can see both all that are
> allowd through and all who gets droped. 
> 
> Thanks
> 
> 
> ___
> Mvh./Yours sincerely
> 
> Lars 
> 
> ========================================================================
> Lars Roland Kristiansen             | Email:        m00lrk@math.ku.dk 
> Stu. Sci. Math/Computer science     | TLF(home):    39670663 
> Copenhagen University -             | Home address: Emdrupvej 175 
> Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
> Url: www.math.ku.dk                 |
> ========================================================================
> 
>    "Politics is for the moment, equations are forever"
>                                                     - Albert Einstein
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
-> Jean-Francois Dive
--> jef@linuxbe.org


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: logging iptables
  - From: Lars Roland Kristiansen <m00lrk@math.ku.dk>

References:
- logging iptables
  - From: Lars Roland Kristiansen <m00lrk@math.ku.dk>

Prev by Date: logging iptables
Next by Date: Re: enforcing resource limits
Previous by thread: logging iptables
Next by thread: Re: logging iptables
Index(es):
- Date
- Thread