1 |
On 28 April 2011 06:31, Harry Putnam <reader@×××××××.com> wrote: |
2 |
> Mick <michaelkintzios@×××××.com> writes: |
3 |
|
4 |
>> Once you access it via telnet, have a look for any log rules in IP Tables |
5 |
>> (/sbin/iptables -L -v -n) and perhaps all we need to do is modify those. |
6 |
> |
7 |
> Yeah I had a look at the lines containing LOG and of course had no |
8 |
> idea of what they meant or how to alter them. |
9 |
|
10 |
OK, let's see what's you got here. The first logging rule is this: |
11 |
|
12 |
> Chain BLOCK (0 references) |
13 |
> target prot opt source destination |
14 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 |
15 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
16 |
|
17 |
In the chain called BLOCK you have rule No.1 with target LOG which is |
18 |
used to ... log: |
19 |
|
20 |
all protocols |
21 |
no options |
22 |
any source |
23 |
any destination |
24 |
all(?) flags |
25 |
level 4 of verbosity |
26 |
|
27 |
I assume that setting this to level 6 would show ports too. |
28 |
|
29 |
|
30 |
> The entire iptables is inlined below... maybe you will know how to alter |
31 |
> them so that ports show up in logs. That is, only if you are still |
32 |
> patient enough to continue.... so far, no one has complained about the |
33 |
> OT thread... but I fear I must be nearing the end of your patient |
34 |
> willingness to continue, if not the lists willingness to allow my OT |
35 |
> thread. |
36 |
|
37 |
No worries! I'm no iptables guru, but I'm still here! ;-) |
38 |
|
39 |
|
40 |
> There only 4 instances of LOG in the tables. But I wonder if it might |
41 |
> just be an increase in log level that is required. |
42 |
|
43 |
Yes, level 6, or level 7 (debug) should give you more than the |
44 |
verbosity required. Careful though you don't overdo it and flood your |
45 |
logs. To guard against this options like --limit-burst or |
46 |
--limit-rate will only capture some of the initial similar packets and |
47 |
quietly drop the rest. |
48 |
|
49 |
|
50 |
> I wanted to try that out, but was a bit chicken, thinking I'd destroy |
51 |
> whatever setup there is that invokes the iptable rules. |
52 |
|
53 |
Yes, that's wise. You don't want to be inadvertently opening holes in |
54 |
your firewall ... |
55 |
|
56 |
This is why you can back up the existing set of rules and then |
57 |
reinstate it when you need to. In Gentoo we can see in our |
58 |
/etc/conf.d/iptables: |
59 |
========================================== |
60 |
# /etc/conf.d/iptables |
61 |
|
62 |
# Location in which iptables initscript will save set rules on |
63 |
# service shutdown |
64 |
IPTABLES_SAVE="/var/lib/iptables/rules-save" |
65 |
|
66 |
# Options to pass to iptables-save and iptables-restore |
67 |
SAVE_RESTORE_OPTIONS="-c" |
68 |
|
69 |
# Save state on stopping iptables |
70 |
SAVE_ON_STOP="yes" |
71 |
========================================== |
72 |
|
73 |
Unless you are running some special script at boot up, there's where |
74 |
all your running rules will be saved: |
75 |
|
76 |
# /etc/init.d/iptables --verbose save |
77 |
* Saving iptables state ... [ ok ] |
78 |
|
79 |
Then run any commands you want to alter your rule set and if you don't |
80 |
like it restart/reload your iptables (without saving first) to restore |
81 |
your previous configuration. |
82 |
|
83 |
I would therefore recommend that you experiment on your desktop to |
84 |
achieve the logging level you want and then run the same commands on |
85 |
the router. I guess in the router you'll have to reboot it to reset |
86 |
the rules, or you will need to find the Linksys equivalent command |
87 |
that will save the running rule set (it may be different to |
88 |
/etc/init.d/iptables save - most probably something like |
89 |
/sbin/iptables-save with redirection to a file). |
90 |
|
91 |
The command you want to run is /sbin/iptables --replace: |
92 |
|
93 |
-R, --replace chain rulenum rule-specification |
94 |
Replace a rule in the selected chain. If the source and/or des‐ |
95 |
tination names resolve to multiple addresses, the command will |
96 |
fail. Rules are numbered starting at 1. |
97 |
|
98 |
So, to modify the above rule you would run something like: |
99 |
|
100 |
/sbin/iptables --replace BLOCK 1 -m limit --limit 15/minute -j LOG |
101 |
--log-level 6 --log -prefix "Blocked packets" |
102 |
|
103 |
This will only replace the above number 1 rule in the BLOCK chain. |
104 |
|
105 |
|
106 |
> Chain DOS (6 references) |
107 |
> target prot opt source destination |
108 |
> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 200/sec b |
109 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABL |
110 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 200/sec b |
111 |
> RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: a |
112 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec bu |
113 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
114 |
|
115 |
To replace the above number 5 rule in the DOS chain you need to follow |
116 |
my example, but first you have to see more than the options shown |
117 |
above - I think that your terminal only showed up to a "burst" option |
118 |
and chopped the rest off? |
119 |
|
120 |
|
121 |
> Chain SCAN (2 references) |
122 |
> target prot opt source destination |
123 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec bu |
124 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
125 |
|
126 |
Ditto here, you want to replace rule number 1, of the SCAN chain, but |
127 |
you need to see the complete rule options in the original so that you |
128 |
can also add them in your command, increasing the level to 6 of |
129 |
course. Have a look in man iptables for details of the different |
130 |
options. |
131 |
|
132 |
As I said, try it all out in your desktop, see that you are happy with |
133 |
the result and then run the 3 commands on your router. If it gives |
134 |
you the results you want, then save them in the configuration - once |
135 |
you find where these rules are saved of course. Perhaps clicking on |
136 |
the save button of the GUI will achieve the same result after you have |
137 |
made all these changes - give it a try and see if it works. |
138 |
|
139 |
HTH. |
140 |
-- |
141 |
Regards, |
142 |
Mick |