Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs
Date:	Thu, 28 Apr 2011 16:09:07
Message-Id:	`BANLkTimjFSuH55BjvZ0kx0Q4thr_3zrGnQ@mail.gmail.com`
In Reply to:	[gentoo-user] Re: [OT router advice] a router capable of detailed logs by Harry Putnam

1

On 28 April 2011 06:31, Harry Putnam <reader@×××××××.com> wrote:

2

> Mick <michaelkintzios@×××××.com> writes:

3

4

>> Once you access it via telnet, have a look for any log rules in IP Tables

5

>> (/sbin/iptables -L -v -n) and perhaps all we need to do is modify those.

6

>

7

> Yeah I had a look at the lines containing LOG and of course had no

8

> idea of what they meant or how to alter them.

9

10

OK, let's see what's you got here.  The first logging rule is this:

11

12

> Chain BLOCK (0 references)

13

> target     prot opt source               destination

14

> LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4

15

> DROP       all  --  0.0.0.0/0            0.0.0.0/0

16

17

In the chain called BLOCK you have rule No.1 with target LOG which is

18

used to ... log:

19

20

  all protocols

21

  no options

22

  any source

23

  any destination

24

  all(?) flags

25

  level 4 of verbosity

26

27

I assume that setting this to level 6 would show ports too.

28

29

30

> The entire iptables is inlined below... maybe you will know how to alter

31

> them so that ports show up in logs.  That is, only if you are still

32

> patient enough to continue.... so far, no one has complained about the

33

> OT thread... but I fear I must be nearing the end of your patient

34

> willingness to continue, if not the lists willingness to allow my OT

35

> thread.

36

37

No worries!  I'm no iptables guru, but I'm still here!  ;-)

38

39

40

> There only 4 instances of LOG in the tables.  But I wonder if it might

41

> just be an increase in log level that is required.

42

43

Yes, level 6, or level 7 (debug) should give you more than the

44

verbosity required.  Careful though you don't overdo it and flood your

45

logs.  To guard against this options like --limit-burst or

46

--limit-rate will only capture some of the initial similar packets and

47

quietly drop the rest.

48

49

50

> I wanted to try that out, but was a bit chicken, thinking I'd destroy

51

> whatever setup there is that invokes the iptable rules.

52

53

Yes, that's wise.  You don't want to be inadvertently opening holes in

54

your firewall ...

55

56

This is why you can back up the existing set of rules and then

57

reinstate it when you need to.  In Gentoo we can see in our

58

/etc/conf.d/iptables:

59

==========================================

60

# /etc/conf.d/iptables

61

62

# Location in which iptables initscript will save set rules on

63

# service shutdown

64

IPTABLES_SAVE="/var/lib/iptables/rules-save"

65

66

# Options to pass to iptables-save and iptables-restore

67

SAVE_RESTORE_OPTIONS="-c"

68

69

# Save state on stopping iptables

70

SAVE_ON_STOP="yes"

71

==========================================

72

73

Unless you are running some special script at boot up, there's where

74

all your running rules will be saved:

75

76

# /etc/init.d/iptables --verbose save

77

 * Saving iptables state ...                                            [ ok ]

78

79

Then run any commands you want to alter your rule set and if you don't

80

like it restart/reload your iptables (without saving first) to restore

81

your previous configuration.

82

83

I would therefore recommend that you experiment on your desktop to

84

achieve the logging level you want and then run the same commands on

85

the router.  I guess in the router you'll have to reboot it to reset

86

the rules, or you will need to find the Linksys equivalent command

87

that will save the running rule set (it may be different to

88

/etc/init.d/iptables save - most probably something like

89

/sbin/iptables-save with redirection to a file).

90

91

The command you want to run is /sbin/iptables --replace:

92

93

-R, --replace chain rulenum rule-specification

94

              Replace a rule in the selected chain.  If the source and/or des‐

95

              tination names resolve to multiple addresses, the  command  will

96

              fail.  Rules are numbered starting at 1.

97

98

So, to modify the above rule you would run something like:

99

100

/sbin/iptables --replace BLOCK 1 -m limit --limit 15/minute -j LOG

101

--log-level 6 --log -prefix "Blocked packets"

102

103

This will only replace the above number 1 rule in the BLOCK chain.

104

105

106

> Chain DOS (6 references)

107

> target     prot opt source               destination

108

> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b

109

> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL

110

> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b

111

> RETURN     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 limit: a

112

> LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu

113

> DROP       all  --  0.0.0.0/0            0.0.0.0/0

114

115

To replace the above number 5 rule in the DOS chain you need to follow

116

my example, but first you have to see more than the options shown

117

above - I think that your terminal only showed up to a "burst" option

118

and chopped the rest off?

119

120

121

> Chain SCAN (2 references)

122

> target     prot opt source               destination

123

> LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu

124

> DROP       all  --  0.0.0.0/0            0.0.0.0/0

125

126

Ditto here, you want to replace rule number 1, of the SCAN chain, but

127

you need to see the complete rule options in the original so that you

128

can also add them in your command, increasing the level to 6 of

129

course.  Have a look in man iptables for details of the different

130

options.

131

132

As I said, try it all out in your desktop, see that you are happy with

133

the result and then run the 3 commands on your router.  If it gives

134

you the results you want, then save them in the configuration - once

135

you find where these rules are saved of course.  Perhaps clicking on

136

the save button of the GUI will achieve the same result after you have

137

made all these changes - give it a try and see if it works.

138

139

HTH.

140

--

141

Regards,

142

Mick

1	On 28 April 2011 06:31, Harry Putnam <reader@×××××××.com> wrote:
2	> Mick <michaelkintzios@×××××.com> writes:
3
4	>> Once you access it via telnet, have a look for any log rules in IP Tables
5	>> (/sbin/iptables -L -v -n) and perhaps all we need to do is modify those.
6	>
7	> Yeah I had a look at the lines containing LOG and of course had no
8	> idea of what they meant or how to alter them.
9
10	OK, let's see what's you got here. The first logging rule is this:
11
12	> Chain BLOCK (0 references)
13	> target prot opt source destination
14	> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
15	> DROP all -- 0.0.0.0/0 0.0.0.0/0
16
17	In the chain called BLOCK you have rule No.1 with target LOG which is
18	used to ... log:
19
20	all protocols
21	no options
22	any source
23	any destination
24	all(?) flags
25	level 4 of verbosity
26
27	I assume that setting this to level 6 would show ports too.
28
29
30	> The entire iptables is inlined below... maybe you will know how to alter
31	> them so that ports show up in logs. That is, only if you are still
32	> patient enough to continue.... so far, no one has complained about the
33	> OT thread... but I fear I must be nearing the end of your patient
34	> willingness to continue, if not the lists willingness to allow my OT
35	> thread.
36
37	No worries! I'm no iptables guru, but I'm still here! ;-)
38
39
40	> There only 4 instances of LOG in the tables. But I wonder if it might
41	> just be an increase in log level that is required.
42
43	Yes, level 6, or level 7 (debug) should give you more than the
44	verbosity required. Careful though you don't overdo it and flood your
45	logs. To guard against this options like --limit-burst or
46	--limit-rate will only capture some of the initial similar packets and
47	quietly drop the rest.
48
49
50	> I wanted to try that out, but was a bit chicken, thinking I'd destroy
51	> whatever setup there is that invokes the iptable rules.
52
53	Yes, that's wise. You don't want to be inadvertently opening holes in
54	your firewall ...
55
56	This is why you can back up the existing set of rules and then
57	reinstate it when you need to. In Gentoo we can see in our
58	/etc/conf.d/iptables:
59	==========================================
60	# /etc/conf.d/iptables
61
62	# Location in which iptables initscript will save set rules on
63	# service shutdown
64	IPTABLES_SAVE="/var/lib/iptables/rules-save"
65
66	# Options to pass to iptables-save and iptables-restore
67	SAVE_RESTORE_OPTIONS="-c"
68
69	# Save state on stopping iptables
70	SAVE_ON_STOP="yes"
71	==========================================
72
73	Unless you are running some special script at boot up, there's where
74	all your running rules will be saved:
75
76	# /etc/init.d/iptables --verbose save
77	* Saving iptables state ... [ ok ]
78
79	Then run any commands you want to alter your rule set and if you don't
80	like it restart/reload your iptables (without saving first) to restore
81	your previous configuration.
82
83	I would therefore recommend that you experiment on your desktop to
84	achieve the logging level you want and then run the same commands on
85	the router. I guess in the router you'll have to reboot it to reset
86	the rules, or you will need to find the Linksys equivalent command
87	that will save the running rule set (it may be different to
88	/etc/init.d/iptables save - most probably something like
89	/sbin/iptables-save with redirection to a file).
90
91	The command you want to run is /sbin/iptables --replace:
92
93	-R, --replace chain rulenum rule-specification
94	Replace a rule in the selected chain. If the source and/or des‐
95	tination names resolve to multiple addresses, the command will
96	fail. Rules are numbered starting at 1.
97
98	So, to modify the above rule you would run something like:
99
100	/sbin/iptables --replace BLOCK 1 -m limit --limit 15/minute -j LOG
101	--log-level 6 --log -prefix "Blocked packets"
102
103	This will only replace the above number 1 rule in the BLOCK chain.
104
105
106	> Chain DOS (6 references)
107	> target prot opt source destination
108	> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 200/sec b
109	> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABL
110	> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 200/sec b
111	> RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: a
112	> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec bu
113	> DROP all -- 0.0.0.0/0 0.0.0.0/0
114
115	To replace the above number 5 rule in the DOS chain you need to follow
116	my example, but first you have to see more than the options shown
117	above - I think that your terminal only showed up to a "burst" option
118	and chopped the rest off?
119
120
121	> Chain SCAN (2 references)
122	> target prot opt source destination
123	> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec bu
124	> DROP all -- 0.0.0.0/0 0.0.0.0/0
125
126	Ditto here, you want to replace rule number 1, of the SCAN chain, but
127	you need to see the complete rule options in the original so that you
128	can also add them in your command, increasing the level to 6 of
129	course. Have a look in man iptables for details of the different
130	options.
131
132	As I said, try it all out in your desktop, see that you are happy with
133	the result and then run the 3 commands on your router. If it gives
134	you the results you want, then save them in the configuration - once
135	you find where these rules are saved of course. Perhaps clicking on
136	the save button of the GUI will achieve the same result after you have
137	made all these changes - give it a try and see if it works.
138
139	HTH.
140	--
141	Regards,
142	Mick

Gentoo Archives: gentoo-user