| 1 |
* Harry Putnam <reader@×××××××.com> [110428 01:06]: |
| 2 |
> Yeah I had a look at the lines containing LOG and of course had no |
| 3 |
> idea of what they meant or how to alter them. |
| 4 |
> |
| 5 |
> The entire iptables is inlined below... maybe you will know how to alter |
| 6 |
> them so that ports show up in logs. That is, only if you are still |
| 7 |
> patient enough to continue.... so far, no one has complained about the |
| 8 |
> OT thread... but I fear I must be nearing the end of your patient |
| 9 |
> willingness to continue, if not the lists willingness to allow my OT |
| 10 |
> thread. |
| 11 |
> |
| 12 |
> ------- --------- ---=--- --------- -------- |
| 13 |
> There only 4 instances of LOG in the tables. But I wonder if it might |
| 14 |
> just be an increase in log level that is required. |
| 15 |
|
| 16 |
I don't think so. That's the syslog level and changing it might change |
| 17 |
if you see the logged entries at all (depending on your syslog config.) |
| 18 |
|
| 19 |
> |
| 20 |
> I wanted to try that out, but was a bit chicken, thinking I'd destroy |
| 21 |
> whatever setup there is that invokes the iptable rules. |
| 22 |
|
| 23 |
You won't really break anything by changing the log levels. |
| 24 |
|
| 25 |
If you're changing things using iptables commands from the shell then |
| 26 |
it's unlikely any changes are permanent anyway (everything will go back |
| 27 |
to how it was.) To make a permanent change you'll need to figure how |
| 28 |
and where the iptables rules are being loaded from when the system comes |
| 29 |
up (it might be using iptable-save and iptables-restore or a firewall |
| 30 |
script or similar.) |
| 31 |
|
| 32 |
Now I'm not an expert on iptables logging and I'm sure Mick and/or |
| 33 |
someone else will respond too. |
| 34 |
|
| 35 |
I think your iptables output is truncated at 80 columns too so some of |
| 36 |
the info is missing at the ends of some of the lines. |
| 37 |
|
| 38 |
Also, I apologize but I forget exactly the traffic for which you're |
| 39 |
trying to get the port #'s logged? |
| 40 |
|
| 41 |
But let's go through what's there (apologies if you already know what |
| 42 |
I mention:) |
| 43 |
|
| 44 |
First, iptables has different tables that it (netfilter in the kernel) |
| 45 |
uses for different purposes. The one you're interested in (and which |
| 46 |
you dumped and is the default for the iptables command if you don't |
| 47 |
specify one) is the filter table. |
| 48 |
|
| 49 |
Other tables that are of interest for other things are the nat table |
| 50 |
and, for most people, to a lessor degree the mangle table. |
| 51 |
|
| 52 |
Inside tables there are standard chains of rules and there are |
| 53 |
(potentially) user-defined chains. |
| 54 |
|
| 55 |
The path a packet takes in the system determines which tables and chains |
| 56 |
are processed. |
| 57 |
|
| 58 |
> |
| 59 |
> Chain INPUT (policy DROP) |
| 60 |
|
| 61 |
The filter table INPUT chain is used when a packet is destined for the |
| 62 |
box itself (i.e., not sourced on the box and not being forwarded through |
| 63 |
the box.) |
| 64 |
|
| 65 |
The policy is to DROP any packets that aren't matched by terminating |
| 66 |
rules (e.g., ACCEPT) in the chain. |
| 67 |
|
| 68 |
> target prot opt source destination |
| 69 |
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 |
| 70 |
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 |
| 71 |
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 |
| 72 |
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 |
| 73 |
|
| 74 |
These ACCEPT rules allow certain traffic destined for the router itself. |
| 75 |
|
| 76 |
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags: |
| 77 |
|
| 78 |
Other TCP traffic that's not allowed above is dropped if it's a NEW TCP |
| 79 |
connection to the router itself (i.e., not a response to TCP traffic |
| 80 |
initiated by the router.) |
| 81 |
|
| 82 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABL |
| 83 |
|
| 84 |
This accepts any traffic that's part of a flow initiated from the |
| 85 |
router. |
| 86 |
|
| 87 |
> INPUT_UDP udp -- 0.0.0.0/0 0.0.0.0/0 |
| 88 |
|
| 89 |
Go process the the user defined INPUT_UDP chain if the packet is a UDP |
| 90 |
packet. If that chain reaches the end of its rule list without matching |
| 91 |
a terminating rule it will return back here (as with all jumps to other |
| 92 |
chains.) |
| 93 |
|
| 94 |
> INPUT_TCP tcp -- 0.0.0.0/0 0.0.0.0/0 |
| 95 |
|
| 96 |
Go process the the user defined INPUT_TCP chain if the packet is a TCP |
| 97 |
packet |
| 98 |
|
| 99 |
> DOS icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 |
| 100 |
|
| 101 |
Go process the the user defined DOS chain if the packet is a ICMP |
| 102 |
packet with icmp type 8 |
| 103 |
|
| 104 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW |
| 105 |
|
| 106 |
ACCEPT all traffic that's in state NEW to the router. Presumably if a |
| 107 |
packet hasn't been dropped above or in the user defined chains then the |
| 108 |
router wants to see that traffic. |
| 109 |
|
| 110 |
> |
| 111 |
> Chain FORWARD (policy DROP) |
| 112 |
|
| 113 |
The filter table FORWARD chain is used when a packet is being forwarded |
| 114 |
by the system. The default policy is to DROP packets not matched by any |
| 115 |
terminating rules in the chain. |
| 116 |
|
| 117 |
> target prot opt source destination |
| 118 |
> ip_filter all -- 0.0.0.0/0 0.0.0.0/0 |
| 119 |
|
| 120 |
Go process the user defined ip_filter chain for all packets |
| 121 |
|
| 122 |
> POLICY icmp -- 0.0.0.0/0 0.0.0.0/0 |
| 123 |
|
| 124 |
Go process the user defined POLICY chain for ICMP packets |
| 125 |
|
| 126 |
> POLICY udp -- 0.0.0.0/0 0.0.0.0/0 |
| 127 |
|
| 128 |
Go process the user defined POLICY chain for UDP packets |
| 129 |
|
| 130 |
> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 |
| 131 |
|
| 132 |
Go process the user defined TCPMSS chain for TCP packets with certain |
| 133 |
flags set in the packet |
| 134 |
|
| 135 |
> POLICY tcp -- 0.0.0.0/0 0.0.0.0/0 |
| 136 |
|
| 137 |
Go process the user defined POLICY chain for all TCP packets |
| 138 |
|
| 139 |
> TREND_MICRO tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 http me |
| 140 |
|
| 141 |
Go process the user defined TREND_MICRO chain for tcp traffic destined |
| 142 |
for TCP port 80 (HTTP) |
| 143 |
|
| 144 |
> DMZ_PASS all -- 0.0.0.0/0 0.0.0.0/0 |
| 145 |
|
| 146 |
Go process the user defined DMZ_PASS chain for all traffic |
| 147 |
|
| 148 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABL |
| 149 |
|
| 150 |
ACCEPT any traffic that's already been set up (state RELATED or |
| 151 |
ESTABLISHED.) |
| 152 |
|
| 153 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW |
| 154 |
|
| 155 |
ACCEPT any traffic that's being initiated |
| 156 |
|
| 157 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 |
| 158 |
|
| 159 |
ACCEPT any traffic |
| 160 |
|
| 161 |
> |
| 162 |
> Chain OUTPUT (policy ACCEPT) |
| 163 |
|
| 164 |
The filter table OUTPUT chain is for traffic sourced by the router |
| 165 |
itself. The default policy is to ACCEPT any traffic initiated by the |
| 166 |
router. |
| 167 |
|
| 168 |
> target prot opt source destination |
| 169 |
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 |
| 170 |
|
| 171 |
Allow any ICMP packets from the router |
| 172 |
|
| 173 |
> DROP icmp -- 0.0.0.0/0 0.0.0.0/0 state INVALID |
| 174 |
|
| 175 |
Drop any invalid ICMP packets |
| 176 |
|
| 177 |
> |
| 178 |
> Chain BLOCK (0 references) |
| 179 |
|
| 180 |
User defined chain BLOCK. It's not used by anyone (0 references) so we |
| 181 |
can ignore it |
| 182 |
|
| 183 |
> target prot opt source destination |
| 184 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 |
| 185 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
| 186 |
> |
| 187 |
> Chain DMZ_PASS (1 references) |
| 188 |
> target prot opt source destination |
| 189 |
|
| 190 |
Empty user defined chaing DMZ_PASS |
| 191 |
|
| 192 |
> |
| 193 |
> Chain DOS (6 references) |
| 194 |
|
| 195 |
User defined DOS chain |
| 196 |
|
| 197 |
> target prot opt source destination |
| 198 |
> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 200/sec b |
| 199 |
|
| 200 |
rate limit TCP packets (return to caller if it's OK) |
| 201 |
|
| 202 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABL |
| 203 |
|
| 204 |
Return to caller if it's a RELATED or ESTABLISHED UDP packet |
| 205 |
|
| 206 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 200/sec b |
| 207 |
|
| 208 |
Rate limit UDP packets (return to caller if it's OK) |
| 209 |
|
| 210 |
> RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: a |
| 211 |
|
| 212 |
Rate limit ICMP type 8 packets (return to caller if it's OK) |
| 213 |
|
| 214 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec bu |
| 215 |
|
| 216 |
Create a log entry |
| 217 |
|
| 218 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
| 219 |
|
| 220 |
And then drop the packet |
| 221 |
> |
| 222 |
> Chain FORWARD_TCP (1 references) |
| 223 |
|
| 224 |
The user defined FORWARD_TCP chain. |
| 225 |
|
| 226 |
> target prot opt source destination |
| 227 |
> DOS tcp -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tc |
| 228 |
|
| 229 |
Call DOS if it's an INVALID or NEW TCP connection |
| 230 |
|
| 231 |
> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 |
| 232 |
|
| 233 |
Return if it's a TCP packet (it's going to return anyway...) |
| 234 |
|
| 235 |
> |
| 236 |
> Chain FORWARD_UDP (1 references) |
| 237 |
|
| 238 |
The user defined FORWARD_UDP chain |
| 239 |
|
| 240 |
> target prot opt source destination |
| 241 |
> DOS udp -- 0.0.0.0/0 0.0.0.0/0 |
| 242 |
|
| 243 |
Call DOS if it's a UDP packet |
| 244 |
|
| 245 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 |
| 246 |
|
| 247 |
Return if it's a UDP packet |
| 248 |
|
| 249 |
> |
| 250 |
> Chain HTTP (0 references) |
| 251 |
|
| 252 |
User defined HTTP chain. No one is using it so we can ignore it. |
| 253 |
|
| 254 |
> target prot opt source destination |
| 255 |
> |
| 256 |
> Chain INPUT_TCP (1 references) |
| 257 |
|
| 258 |
User defined INPUT_TCP chain. |
| 259 |
|
| 260 |
> target prot opt source destination |
| 261 |
> SCAN all -- 0.0.0.0/0 0.0.0.0/0 psd weight-threshold |
| 262 |
|
| 263 |
Call SCAN for any packet that's part of a port scanning attempt (as |
| 264 |
defined by the parameters to the psd match.) |
| 265 |
|
| 266 |
> DOS tcp -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tc |
| 267 |
|
| 268 |
Call DOS for any INVALID or NEW TCP packet |
| 269 |
|
| 270 |
> ACCEPT tcp -- 0.0.0.0/0 192.168.0.20 tcp dpt:30443 |
| 271 |
|
| 272 |
ACCEPT any TCP packet destined for port 30443 and change the destination |
| 273 |
IP address to 192.168.0.20 |
| 274 |
|
| 275 |
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 23, |
| 276 |
|
| 277 |
DROP any TCP traffic matching destination ports 23 and the rest that are |
| 278 |
truncated. |
| 279 |
|
| 280 |
> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 |
| 281 |
|
| 282 |
Return if it's a TCP packet |
| 283 |
|
| 284 |
> |
| 285 |
> Chain INPUT_UDP (1 references) |
| 286 |
|
| 287 |
The user defined INPUT_UDP chain |
| 288 |
|
| 289 |
> target prot opt source destination |
| 290 |
> SCAN all -- 0.0.0.0/0 0.0.0.0/0 psd weight-threshold |
| 291 |
|
| 292 |
Call SCAN if it matches the psd match |
| 293 |
|
| 294 |
> DOS udp -- 0.0.0.0/0 0.0.0.0/0 |
| 295 |
|
| 296 |
Call DOS if it's a UDP packet |
| 297 |
|
| 298 |
> ACCEPT udp -- 68.87.72.13 0.0.0.0/0 udp spt:67 dpt:68 |
| 299 |
|
| 300 |
Accept UDP traffic from host 68.87.72.13 with a source port of 67 and a |
| 301 |
destination port of 68 |
| 302 |
|
| 303 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 |
| 304 |
|
| 305 |
Return if it's a UDP packet |
| 306 |
|
| 307 |
> |
| 308 |
> Chain POLICY (3 references) |
| 309 |
|
| 310 |
User defined POLICY chain |
| 311 |
|
| 312 |
> target prot opt source destination |
| 313 |
> PORT_FORWARD all -- 0.0.0.0/0 0.0.0.0/0 |
| 314 |
|
| 315 |
Call PORT_FORWARD for all packets |
| 316 |
|
| 317 |
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
| 318 |
|
| 319 |
RETURN for all packets |
| 320 |
|
| 321 |
> |
| 322 |
> Chain PORT_FORWARD (1 references) |
| 323 |
|
| 324 |
User defined PORT_FORWARD chain |
| 325 |
|
| 326 |
> target prot opt source destination |
| 327 |
> DOS icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 |
| 328 |
|
| 329 |
Call DOS if it's an ICMP type 8 packet |
| 330 |
|
| 331 |
> FORWARD_TCP tcp -- 0.0.0.0/0 0.0.0.0/0 |
| 332 |
|
| 333 |
Call FORWARD_TCP if it's a TCP packet |
| 334 |
|
| 335 |
> FORWARD_UDP udp -- 0.0.0.0/0 0.0.0.0/0 |
| 336 |
|
| 337 |
Call FORWARD_UDP if it's a UDP packet |
| 338 |
|
| 339 |
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
| 340 |
|
| 341 |
RETURN for any packet |
| 342 |
|
| 343 |
> |
| 344 |
> Chain SCAN (2 references) |
| 345 |
|
| 346 |
User defined SCAN chain |
| 347 |
|
| 348 |
> target prot opt source destination |
| 349 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec bu |
| 350 |
|
| 351 |
Log the packet but not more than 10/sec |
| 352 |
|
| 353 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
| 354 |
|
| 355 |
DROP the packet |
| 356 |
|
| 357 |
> |
| 358 |
> Chain TREND_MICRO (1 references) |
| 359 |
|
| 360 |
User defined TREND_MICRO chain. It doesn't really do anything |
| 361 |
|
| 362 |
> target prot opt source destination |
| 363 |
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
| 364 |
> |
| 365 |
> Chain ip_filter (1 references) |
| 366 |
|
| 367 |
User defined ip_filter chain. Doesn't do anything |
| 368 |
|
| 369 |
> target prot opt source destination |
| 370 |
> |
| 371 |
|
| 372 |
OK, so that's what is going on in your iptables. |
| 373 |
|
| 374 |
Without knowing what specific traffic (and the situation) I'm not sure |
| 375 |
where to look at the LOG rules. Sorry I forget this. |
| 376 |
|
| 377 |
All this being said, my LOG rules always include source and destination |
| 378 |
ports for TCP and UDP traffic. |
| 379 |
|
| 380 |
Can you post (or send me in private email) some of your log output to |
| 381 |
look at? |
| 382 |
|
| 383 |
Thanks, |
| 384 |
|
| 385 |
Todd |
Archives