I tried to add the LOG option but I don't think it is working. Where would it write the log to?
At added the following to the end of the INPUT Chain & OUTPUT Chain: iptables -A INPUT -j LOG --log-prefix "INPUT DROP: " iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: " Do I need to make a custom log in sysconfig.conf for the iptables log? And if so, what should the line read (i.e. mail.* /var/log/maillog). Thanks! SW -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Wilkes Sent: Wednesday, February 20, 2002 12:36 AM To: [EMAIL PROTECTED] Subject: Re: DNS Problem w/ iptables? On Tue, Feb 19, 2002 at 10:42:00PM -0500, Steve West wrote: > > I'm having some problems w/ my iptables rules and I have tried almost 20 or > so different attempts and I hope someone here can help. Our network consists > of one network (eth0) connected to the Internet. The iptables are setup on > RedHat 7.1 (running Kernel 2.4.9-21smp). This server needs to have ssh, dns, > smpt, & http running. > > iptables -A OUTPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT > > Is there a security risk to allow ports 1024:65535 out? And if so, how can I > correct this and still allow ssh,dns,smpt,http,https to work fine? > > Also, the way the rules are currently setup do not allow for DNS queries or > updates between this server which is a secondary name server and the primary > name server. What am I doing wrong? I added for both INPUT & OUTPUT tcp and > udp rules for port 53 and it still doesn't work. (I don't even know if I > need to have such rules) You shouldn't have to put that rule in there, have you tried using your system w/o it? I've never had to do it, maybe because I said that I would allow "ESTABLISHED,RELATED" packets to an incoming port 22 request. To debug your problem I would add a marker before you DROP any packet and as the last rule before it goes to the default which should be a drop. To do so use this notation: -j LOG --log-prefix "DROP " If you purposely drop something like incoming web, make it look like this: --dport 80 -j LOG --log-prefix "INWEB " --dport 80 -j DROP So you can see and count the number dropped. Doing this will greatly help you in debugging as you'll see a line in syslog that says that it is dropping packets outbound on eth0 with a source port of 53 and that you should open it up, for example. Is this a part of the FAQ to LOG all drops to help out in debugging? More than half the posts on this list could be solved if people did that. Chris
