Re: logging iptables

Jean-Francois Dive Sun, 21 Apr 2002 17:18:55 -0500

Hi,

As from the man:


LOG:
        This is a "non-terminating target",
       i.e. rule traversal continues at the next rule.  So if you
       want to LOG the packets you refuse, use two separate rules
       with  the  same matching criterias, first using target LOG
       then DROP (or REJECT).

So, simply insert a rule which match the traffic you accept, before you accept
it.

An advice: you accpt any packet with destination port matching your services.
You should only accpet the --state NEW packets; -s 0/0 is useless, use -m limit
is quite usefull too, and finally, if you want to have stats on a per protocol
basis, you should use a separate line for each proto and use the counters
associated with each rule. 


iptables -P INPUT DROP
iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 
22,25,110,113 -i eth0 -m limit -j LOG --log-prefix "ACCEPTED:"
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 25 -i eth0 
-j ACCEPT
..
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit -j LOG --log-prefix "DROPED"


Hope that help,

JeF

On Sun, Apr 21, 2002 at 11:54:06PM +0200, Lars Roland Kristiansen wrote:
> Hi i have a fairly simple iptables script that blocks all except from port
> 22, 25, 110 and 113. it looks like this
> 
> ---------------------------------------------------------------------------
> iptables -P INPUT DROP
> 
> iptables -A INPUT -p tcp -m multiport -s 0/0 --dport 22,25,110,113 -i eth0
> -j ACCEPT
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ----------------------------------------------------------------------------
> 
> is there an easy way to set up logging so i can see both all that are
> allowd through and all who gets droped. 
> 
> Thanks
> 
> 
> ___
> Mvh./Yours sincerely
> 
> Lars 
> 
> ========================================================================
> Lars Roland Kristiansen             | Email:        [EMAIL PROTECTED] 
> Stu. Sci. Math/Computer science     | TLF(home):    39670663 
> Copenhagen University -             | Home address: Emdrupvej 175 
> Institute for Mathematical Sciences | C/O Rune Bruhn 2400 Copenhagen NV 
> Url: www.math.ku.dk                 |
> ========================================================================
> 
>    "Politics is for the moment, equations are forever"
>                                                     - Albert Einstein
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
-> Jean-Francois Dive
--> [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: logging iptables

Reply via email to