iptables logging

hemi_426 · 04-29-2008, 07:08 AM

it didnt do it

if u want access to my box i will give u ,
i really want to know its not working

GhostCow · 04-29-2008, 03:06 PM

ok i'll see what i can do, check your mail

eliufoo · 04-30-2008, 12:30 AM

Try this..

Quote:

kern.warning /var/log/iptables

It worked for me. Also, don't forget to restart the syslog file. Also, for testing, use the following log parameter.

iptables -I INPUT -j LOG --log-level debug

This will set the rule ontop of the chain and capture everything coming IN.

Elly

hemi_426 · 04-30-2008, 03:14 AM

im trying now

hemi_426 · 04-30-2008, 03:32 AM

sorry to say it ,but still nothing

tajamari · 04-30-2008, 05:25 AM

Quote:

Originally Posted by GhostCow

restart syslog and check again
don't forget, syslog MUST BE RESTARTED AFTER INITIALIZING LOG RULE

Insert this chain:

# Create chain which blocks new connections, except if coming from inside.
# ----------------------------------------------------------
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A block -j LOG --log-prefix "DROP UNTRUSTED NETWORKS "
iptables -A block -j DROP

Then I edited /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.* /var/log/firewall.log

You can also add the log file on logrotate.d so it will not accumulate. Dont forget to restart syslog

hemi_426 · 04-30-2008, 04:55 PM

i will test it tomorrow
thanks a lot for ur reply

hemi_426 · 05-01-2008, 02:28 AM

this is the only line i got the whole night
May 1 00:53:58 office kernel: klogd 1.4.1, log source = /proc/kmsg started.

hemi_426 · 05-01-2008, 02:32 AM

#watch -d iptables -nvL
Chain block (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- !eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP UNTRUSTED NETWORKS '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

hemi_426 · 05-01-2008, 02:51 AM

FINALLY I DID IT
i used this line in my syslog.conf
kern.* /var/log/iptables

and these in my iptables
$IPTABLES -A INPUT -p tcp -j LOG --log-level debug
$IPTABLES -A FORWORD -p tcp -j LOG --log-level debug

but is this level of logging give me all kind of traffic passing and blocked packets ?

blacky_5251 · 05-01-2008, 02:56 AM

Give me an IP address and a port number and I'll try to access your server (using ssh). You should be able to watch the attempts come in and being blocked. Pick a weird port number - perhaps 7890.

Happy to try if you want me to. Email me if you don't want to post an IP address.

hemi_426 · 05-01-2008, 03:25 AM

the e-mail is there
but witch code of this line would say that its blocked
example:
May 1 11:22:55 office kernel: IN=eth1 OUT=eth0 SRC=10.0.0.200 DST=77.30.124.216 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=13237 DF PROTO=TCP SPT=1416 DPT=222 WINDOW=16384 RES=0x00 SYN URGP=0

blacky_5251 · 05-01-2008, 03:33 AM

The fact that it gets to your log target means it will hit the DROP target next. So anything in the log should be dropped.

Trying now....

Are you getting anything?

hemi_426 · 05-01-2008, 03:42 AM

yes those lines came in

May 1 11:42:04 office kernel: IN=eth0 OUT= MAC=00:19:e0:0e:b5:f9:00:18:d1:58:a7:4b:08:00 SRC=121.45.139.202 DST=192.168.254.10 LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=22596 DF PROTO=TCP SPT=80 DPT=51516 WINDOW=25307 RES=0x00 ACK URGP=0

witch part says "blocked" ?

blacky_5251 · 05-01-2008, 03:45 AM

The log doesn't and won't tell you that it has been blocked. You have to assume that from the fact that the next target/rule after your log target is your DROP rule.

All you can assume from the message in your log file is that this packet has reached your LOG rule in the IP table.