iptables logging

hemi_426 · 05-01-2008, 03:45 AM

i dont have a DROP rule
i have a DROP policy
so everything in my /var/log/iptables is DROPED packets ?

hemi_426 · 05-01-2008, 03:48 AM

my log rule is the first rule in my table so it should log everything right ?

blacky_5251 · 05-01-2008, 03:48 AM

Isn't this a DROP rule at the end?

Code:

iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A block -j LOG --log-prefix "DROP UNTRUSTED NETWORKS "
iptables -A block -j DROP

hemi_426 · 05-01-2008, 03:52 AM

im not using that chain im using the following lines

$IPTABLES -A INPUT -p tcp -j LOG --log-level debug
$IPTABLES -A FORWARD -p tcp -j LOG --log-level debug

cause that chain didnt have any traffic and didnt log anything

hemi_426 · 05-01-2008, 03:55 AM

i see its logging allowed traffic cause its logging packets going to squid through port 3128

blacky_5251 · 05-01-2008, 03:57 AM

What does your full iptable look like? Run "iptables -nvL" and post the full output.

If you have a default policy to drop packets, then my understanding is that anything that doesn't match any of your non-logging rules will be dropped. So having LOG at the beginning isn't what you want, you want it at the end. Then, everything that has matched an earlier rule - i.e. legit traffic - will be accepted without logging. Then all the bad stuff will fail all your accept rules, hit the log rule, and then get dropped.

hemi_426 · 05-01-2008, 03:59 AM

now i got it

anyway im posting my firewall

####### Pre Configure Iptables #########
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

###### Blocked logging chain
#$IPTABLES -N block
#$IPTABLES -F block
#$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A block -m state --state NEW -i ! eth0 -j ACCEPT
#$IPTABLES -A block -j LOG --log-level 6 --log-prefix "DROP UNTRUSTED NETWORKS "
#$IPTABLES -A block -j DROP

####### Configure IPROUTE2 Rules #######

####### IPTABLES Rules #################

############ INPUT
$IPTABLES -A INPUT -p tcp -j LOG --log-level debug
$IPTABLES -A INPUT -i $EXTIF -p icmp -m icmp --icmp-type redirect -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p icmp -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 22,21,20,587,110,6666,6667,6668,6669 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

############ FORWARD
# Syn-flood
$IPTABLES -A FORWARD -p tcp -j LOG --log-level debug
$IPTABLES -A FORWARD -p tcp -i $INTIF -o $EXTIF -m multiport --destination-port 22,21,20,25,53,443,587,110,5190,1863,5000,5050,80,3128 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -o $EXTIF -m multiport --destination-port 6666,6667,6668,6669 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Ports Scans
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Ping Death
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $INTIF -o $EXTIF -j ACCEPT

# NetBs Drop
$IPTABLES -A FORWARD -p tcp --dport 135:139 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 445 -j DROP

############ OUTPUT

############ PREROUTING ## -j DNAT --to-destination 192.168.0.1:8080
#$IPTABLES -t nat -A PREROUTING -p tcp -s 10.0.0.0/24 --dport 110 -j DNAT --to-destination 192.168.0.1:4128
$IPTABLES -t nat -A PREROUTING -p tcp -d ! 10.0.0.0/24 -m multiport --dports 80,81,82,83,kerberos,8000,8001,8002 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p tcp -d ! 172.17.60.0/24 -m multiport --dports 8083,8091,8100,8101,8102,8103,8888,777 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -p tcp -d ! 192.168.0.0/16 -m multiport --dports 443,1863,5190,5050,5100,5000,5001 -j REDIRECT --to-ports 4128
#$IPTABLES -t nat -A PREROUTING -p tcp -d ! 192.168.0.0/16 -m multiport --dports 443,1863,5190 -j REDIRECT --to-ports 4128
#$IPTABLES -t nat -A PREROUTING -p tcp -d ! 192.168.0.0/16 -m multiport --dports 443,1863,5190,5050,5100,5000,5001 -j DNAT --to-destination 127.0.0.1:4128

# POSTROUTING
#$IPTABLES -t nat -A POSTROUTING -j MASQUERADE -s 192.168.0.0/16 -d ! 192.168.0.0/16
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 10.0.0.10/24 -j SNAT --to-source `get_addr $EXTIF`

echo " firewall started "

blacky_5251 · 05-01-2008, 04:05 AM

Glad to hear it. Out of interest, what distro are you using? I haven't seen a dynamically defined iptable like this - generally I see firewalls defined in /etc/sysconfig/iptables, not in an initialization script. Nothing wrong with it, just not something I've come across before.

hemi_426 · 05-01-2008, 04:13 AM

im using slackware12

and here is the beginning of it:

#!/bin/sh

echo " starting firewall.."

/sbin/sysctl -w net.ipv4.ip_forward=1
####### Functions ######################
## Get IP ##
function get_addr()
{
IFCONFIG='/sbin/ifconfig';
HEAD='head -2';
TAIL='tail -1';
CUT='cut -d: -f2';
IP=`$IFCONFIG $1 | $HEAD | $TAIL | awk '{print $2}' | $CUT`;
echo $IP;
}

function get_pppn()
{
IFCONFIG='/sbin/ifconfig';
PPP=`$IFCONFIG | grep ppp | awk '{print $1}'`;
echo $PPP;
}
############

####### Variables ######################
IPTABLES="/usr/sbin/iptables"
IFCFG="/sbin/ifconfig"
TC="/sbin/tc"
IP="/sbin/ip"

EXTIF="eth0"
INTIF="eth1"

about the script i got it from a specialized firewalls friend of mine

blacky_5251 · 05-01-2008, 05:11 AM

I've never used slackware, but I've heard good reports. I use IPCop for my primary firewall, but also run SELinux and iptables on my CentOS machine in my publicly accessible DMZ behind the IPCop box - to be doubly safe.

There is certainly plenty of stuff you can configure with iptables - a very powerful, confusing, and way cool tool.