1 |
* Harry Putnam <reader@×××××××.com> [110428 01:06]: |
2 |
> Yeah I had a look at the lines containing LOG and of course had no |
3 |
> idea of what they meant or how to alter them. |
4 |
> |
5 |
> The entire iptables is inlined below... maybe you will know how to alter |
6 |
> them so that ports show up in logs. That is, only if you are still |
7 |
> patient enough to continue.... so far, no one has complained about the |
8 |
> OT thread... but I fear I must be nearing the end of your patient |
9 |
> willingness to continue, if not the lists willingness to allow my OT |
10 |
> thread. |
11 |
> |
12 |
> ------- --------- ---=--- --------- -------- |
13 |
> There only 4 instances of LOG in the tables. But I wonder if it might |
14 |
> just be an increase in log level that is required. |
15 |
|
16 |
I don't think so. That's the syslog level and changing it might change |
17 |
if you see the logged entries at all (depending on your syslog config.) |
18 |
|
19 |
> |
20 |
> I wanted to try that out, but was a bit chicken, thinking I'd destroy |
21 |
> whatever setup there is that invokes the iptable rules. |
22 |
|
23 |
You won't really break anything by changing the log levels. |
24 |
|
25 |
If you're changing things using iptables commands from the shell then |
26 |
it's unlikely any changes are permanent anyway (everything will go back |
27 |
to how it was.) To make a permanent change you'll need to figure how |
28 |
and where the iptables rules are being loaded from when the system comes |
29 |
up (it might be using iptable-save and iptables-restore or a firewall |
30 |
script or similar.) |
31 |
|
32 |
Now I'm not an expert on iptables logging and I'm sure Mick and/or |
33 |
someone else will respond too. |
34 |
|
35 |
I think your iptables output is truncated at 80 columns too so some of |
36 |
the info is missing at the ends of some of the lines. |
37 |
|
38 |
Also, I apologize but I forget exactly the traffic for which you're |
39 |
trying to get the port #'s logged? |
40 |
|
41 |
But let's go through what's there (apologies if you already know what |
42 |
I mention:) |
43 |
|
44 |
First, iptables has different tables that it (netfilter in the kernel) |
45 |
uses for different purposes. The one you're interested in (and which |
46 |
you dumped and is the default for the iptables command if you don't |
47 |
specify one) is the filter table. |
48 |
|
49 |
Other tables that are of interest for other things are the nat table |
50 |
and, for most people, to a lessor degree the mangle table. |
51 |
|
52 |
Inside tables there are standard chains of rules and there are |
53 |
(potentially) user-defined chains. |
54 |
|
55 |
The path a packet takes in the system determines which tables and chains |
56 |
are processed. |
57 |
|
58 |
> |
59 |
> Chain INPUT (policy DROP) |
60 |
|
61 |
The filter table INPUT chain is used when a packet is destined for the |
62 |
box itself (i.e., not sourced on the box and not being forwarded through |
63 |
the box.) |
64 |
|
65 |
The policy is to DROP any packets that aren't matched by terminating |
66 |
rules (e.g., ACCEPT) in the chain. |
67 |
|
68 |
> target prot opt source destination |
69 |
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 |
70 |
> ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 |
71 |
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 |
72 |
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 |
73 |
|
74 |
These ACCEPT rules allow certain traffic destined for the router itself. |
75 |
|
76 |
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags: |
77 |
|
78 |
Other TCP traffic that's not allowed above is dropped if it's a NEW TCP |
79 |
connection to the router itself (i.e., not a response to TCP traffic |
80 |
initiated by the router.) |
81 |
|
82 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABL |
83 |
|
84 |
This accepts any traffic that's part of a flow initiated from the |
85 |
router. |
86 |
|
87 |
> INPUT_UDP udp -- 0.0.0.0/0 0.0.0.0/0 |
88 |
|
89 |
Go process the the user defined INPUT_UDP chain if the packet is a UDP |
90 |
packet. If that chain reaches the end of its rule list without matching |
91 |
a terminating rule it will return back here (as with all jumps to other |
92 |
chains.) |
93 |
|
94 |
> INPUT_TCP tcp -- 0.0.0.0/0 0.0.0.0/0 |
95 |
|
96 |
Go process the the user defined INPUT_TCP chain if the packet is a TCP |
97 |
packet |
98 |
|
99 |
> DOS icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 |
100 |
|
101 |
Go process the the user defined DOS chain if the packet is a ICMP |
102 |
packet with icmp type 8 |
103 |
|
104 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW |
105 |
|
106 |
ACCEPT all traffic that's in state NEW to the router. Presumably if a |
107 |
packet hasn't been dropped above or in the user defined chains then the |
108 |
router wants to see that traffic. |
109 |
|
110 |
> |
111 |
> Chain FORWARD (policy DROP) |
112 |
|
113 |
The filter table FORWARD chain is used when a packet is being forwarded |
114 |
by the system. The default policy is to DROP packets not matched by any |
115 |
terminating rules in the chain. |
116 |
|
117 |
> target prot opt source destination |
118 |
> ip_filter all -- 0.0.0.0/0 0.0.0.0/0 |
119 |
|
120 |
Go process the user defined ip_filter chain for all packets |
121 |
|
122 |
> POLICY icmp -- 0.0.0.0/0 0.0.0.0/0 |
123 |
|
124 |
Go process the user defined POLICY chain for ICMP packets |
125 |
|
126 |
> POLICY udp -- 0.0.0.0/0 0.0.0.0/0 |
127 |
|
128 |
Go process the user defined POLICY chain for UDP packets |
129 |
|
130 |
> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 |
131 |
|
132 |
Go process the user defined TCPMSS chain for TCP packets with certain |
133 |
flags set in the packet |
134 |
|
135 |
> POLICY tcp -- 0.0.0.0/0 0.0.0.0/0 |
136 |
|
137 |
Go process the user defined POLICY chain for all TCP packets |
138 |
|
139 |
> TREND_MICRO tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 http me |
140 |
|
141 |
Go process the user defined TREND_MICRO chain for tcp traffic destined |
142 |
for TCP port 80 (HTTP) |
143 |
|
144 |
> DMZ_PASS all -- 0.0.0.0/0 0.0.0.0/0 |
145 |
|
146 |
Go process the user defined DMZ_PASS chain for all traffic |
147 |
|
148 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABL |
149 |
|
150 |
ACCEPT any traffic that's already been set up (state RELATED or |
151 |
ESTABLISHED.) |
152 |
|
153 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW |
154 |
|
155 |
ACCEPT any traffic that's being initiated |
156 |
|
157 |
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 |
158 |
|
159 |
ACCEPT any traffic |
160 |
|
161 |
> |
162 |
> Chain OUTPUT (policy ACCEPT) |
163 |
|
164 |
The filter table OUTPUT chain is for traffic sourced by the router |
165 |
itself. The default policy is to ACCEPT any traffic initiated by the |
166 |
router. |
167 |
|
168 |
> target prot opt source destination |
169 |
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 |
170 |
|
171 |
Allow any ICMP packets from the router |
172 |
|
173 |
> DROP icmp -- 0.0.0.0/0 0.0.0.0/0 state INVALID |
174 |
|
175 |
Drop any invalid ICMP packets |
176 |
|
177 |
> |
178 |
> Chain BLOCK (0 references) |
179 |
|
180 |
User defined chain BLOCK. It's not used by anyone (0 references) so we |
181 |
can ignore it |
182 |
|
183 |
> target prot opt source destination |
184 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 |
185 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
186 |
> |
187 |
> Chain DMZ_PASS (1 references) |
188 |
> target prot opt source destination |
189 |
|
190 |
Empty user defined chaing DMZ_PASS |
191 |
|
192 |
> |
193 |
> Chain DOS (6 references) |
194 |
|
195 |
User defined DOS chain |
196 |
|
197 |
> target prot opt source destination |
198 |
> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 200/sec b |
199 |
|
200 |
rate limit TCP packets (return to caller if it's OK) |
201 |
|
202 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABL |
203 |
|
204 |
Return to caller if it's a RELATED or ESTABLISHED UDP packet |
205 |
|
206 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 200/sec b |
207 |
|
208 |
Rate limit UDP packets (return to caller if it's OK) |
209 |
|
210 |
> RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: a |
211 |
|
212 |
Rate limit ICMP type 8 packets (return to caller if it's OK) |
213 |
|
214 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec bu |
215 |
|
216 |
Create a log entry |
217 |
|
218 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
219 |
|
220 |
And then drop the packet |
221 |
> |
222 |
> Chain FORWARD_TCP (1 references) |
223 |
|
224 |
The user defined FORWARD_TCP chain. |
225 |
|
226 |
> target prot opt source destination |
227 |
> DOS tcp -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tc |
228 |
|
229 |
Call DOS if it's an INVALID or NEW TCP connection |
230 |
|
231 |
> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 |
232 |
|
233 |
Return if it's a TCP packet (it's going to return anyway...) |
234 |
|
235 |
> |
236 |
> Chain FORWARD_UDP (1 references) |
237 |
|
238 |
The user defined FORWARD_UDP chain |
239 |
|
240 |
> target prot opt source destination |
241 |
> DOS udp -- 0.0.0.0/0 0.0.0.0/0 |
242 |
|
243 |
Call DOS if it's a UDP packet |
244 |
|
245 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 |
246 |
|
247 |
Return if it's a UDP packet |
248 |
|
249 |
> |
250 |
> Chain HTTP (0 references) |
251 |
|
252 |
User defined HTTP chain. No one is using it so we can ignore it. |
253 |
|
254 |
> target prot opt source destination |
255 |
> |
256 |
> Chain INPUT_TCP (1 references) |
257 |
|
258 |
User defined INPUT_TCP chain. |
259 |
|
260 |
> target prot opt source destination |
261 |
> SCAN all -- 0.0.0.0/0 0.0.0.0/0 psd weight-threshold |
262 |
|
263 |
Call SCAN for any packet that's part of a port scanning attempt (as |
264 |
defined by the parameters to the psd match.) |
265 |
|
266 |
> DOS tcp -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW tc |
267 |
|
268 |
Call DOS for any INVALID or NEW TCP packet |
269 |
|
270 |
> ACCEPT tcp -- 0.0.0.0/0 192.168.0.20 tcp dpt:30443 |
271 |
|
272 |
ACCEPT any TCP packet destined for port 30443 and change the destination |
273 |
IP address to 192.168.0.20 |
274 |
|
275 |
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 23, |
276 |
|
277 |
DROP any TCP traffic matching destination ports 23 and the rest that are |
278 |
truncated. |
279 |
|
280 |
> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 |
281 |
|
282 |
Return if it's a TCP packet |
283 |
|
284 |
> |
285 |
> Chain INPUT_UDP (1 references) |
286 |
|
287 |
The user defined INPUT_UDP chain |
288 |
|
289 |
> target prot opt source destination |
290 |
> SCAN all -- 0.0.0.0/0 0.0.0.0/0 psd weight-threshold |
291 |
|
292 |
Call SCAN if it matches the psd match |
293 |
|
294 |
> DOS udp -- 0.0.0.0/0 0.0.0.0/0 |
295 |
|
296 |
Call DOS if it's a UDP packet |
297 |
|
298 |
> ACCEPT udp -- 68.87.72.13 0.0.0.0/0 udp spt:67 dpt:68 |
299 |
|
300 |
Accept UDP traffic from host 68.87.72.13 with a source port of 67 and a |
301 |
destination port of 68 |
302 |
|
303 |
> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 |
304 |
|
305 |
Return if it's a UDP packet |
306 |
|
307 |
> |
308 |
> Chain POLICY (3 references) |
309 |
|
310 |
User defined POLICY chain |
311 |
|
312 |
> target prot opt source destination |
313 |
> PORT_FORWARD all -- 0.0.0.0/0 0.0.0.0/0 |
314 |
|
315 |
Call PORT_FORWARD for all packets |
316 |
|
317 |
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
318 |
|
319 |
RETURN for all packets |
320 |
|
321 |
> |
322 |
> Chain PORT_FORWARD (1 references) |
323 |
|
324 |
User defined PORT_FORWARD chain |
325 |
|
326 |
> target prot opt source destination |
327 |
> DOS icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 |
328 |
|
329 |
Call DOS if it's an ICMP type 8 packet |
330 |
|
331 |
> FORWARD_TCP tcp -- 0.0.0.0/0 0.0.0.0/0 |
332 |
|
333 |
Call FORWARD_TCP if it's a TCP packet |
334 |
|
335 |
> FORWARD_UDP udp -- 0.0.0.0/0 0.0.0.0/0 |
336 |
|
337 |
Call FORWARD_UDP if it's a UDP packet |
338 |
|
339 |
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
340 |
|
341 |
RETURN for any packet |
342 |
|
343 |
> |
344 |
> Chain SCAN (2 references) |
345 |
|
346 |
User defined SCAN chain |
347 |
|
348 |
> target prot opt source destination |
349 |
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec bu |
350 |
|
351 |
Log the packet but not more than 10/sec |
352 |
|
353 |
> DROP all -- 0.0.0.0/0 0.0.0.0/0 |
354 |
|
355 |
DROP the packet |
356 |
|
357 |
> |
358 |
> Chain TREND_MICRO (1 references) |
359 |
|
360 |
User defined TREND_MICRO chain. It doesn't really do anything |
361 |
|
362 |
> target prot opt source destination |
363 |
> RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
364 |
> |
365 |
> Chain ip_filter (1 references) |
366 |
|
367 |
User defined ip_filter chain. Doesn't do anything |
368 |
|
369 |
> target prot opt source destination |
370 |
> |
371 |
|
372 |
OK, so that's what is going on in your iptables. |
373 |
|
374 |
Without knowing what specific traffic (and the situation) I'm not sure |
375 |
where to look at the LOG rules. Sorry I forget this. |
376 |
|
377 |
All this being said, my LOG rules always include source and destination |
378 |
ports for TCP and UDP traffic. |
379 |
|
380 |
Can you post (or send me in private email) some of your log output to |
381 |
look at? |
382 |
|
383 |
Thanks, |
384 |
|
385 |
Todd |