NTP, ntpdate, and ISP-based firewall
jdow
jdow at earthlink.net
Thu Mar 4 21:56:27 UTC 2004
From: "Don Levey" <fedora-list at the-leveys.us>
> fedora-list-admin at redhat.com wrote:
>
> > No, there is no difference between REJECT and DROP in that issue. To
> > log REJECTs and DROPs (I dislike DROP much) you have to set up proper
> > logging rules with iptables. As an example you might log events with
> > something like:
> >
> > iptables -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags
> > FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 10/min -j LOG
> > --log-prefix "NMAP-XMAS SCAN: " --log-level 7 --log-tcp-options
> > --log-ip-options
> >
>
> And just as I was looking into how to log events...
> Two quick questions:
> 1) Since placement matters, should I put this at the beginning of my
iptables file, or at the end?
> 2) Is that all one line, or four (as above)?
I set it up this way, Don. (The last few lines are the magic. The first
part shows how I delete the rules when rebuilding the firewall.)
--8<--
...<Some rules above are not shown for brevity's sake>...
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
#
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
#
# NOTE: Some users prefer to have their firewall silently
# "DROP" packets while others prefer to use "REJECT"
# to send ICMP error messages back to the remote
# machine. The default is "REJECT" but feel free to
# change this below.
#
# NOTE: Without the --log-level set to "info", every single
# firewall hit will goto ALL vtys. This is a very big
# pain.
#
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
...<Below here the firewall is constructed in stages>...
--8<--
Now, what I wish I could do is have that drop and log it rule include
a variable line number parameter.... Ah well. IPTables is diseased for
lack of line number reporting in its log messages. That is a SERIOUS
lack, IMAO.
{^_^}
More information about the users
mailing list