NTP, ntpdate, and ISP-based firewall

jdow jdow at earthlink.net
Thu Mar 4 21:56:27 UTC 2004 

From: "Don Levey" <fedora-list at the-leveys.us>

> fedora-list-admin at redhat.com wrote:
>
> > No, there is no difference between REJECT and DROP in that issue. To
> > log REJECTs and DROPs (I dislike DROP much) you have to set up proper
> > logging rules with iptables. As an example you might log events with
> > something like:
> >
> > iptables -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags
> > FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 10/min -j LOG
> > --log-prefix "NMAP-XMAS SCAN: " --log-level 7 --log-tcp-options
> > --log-ip-options
> >
>
> And just as I was looking into how to log events...
> Two quick questions:
> 1) Since placement matters, should I put this at the beginning of my
iptables file, or at the end?
> 2) Is that all one line, or four (as above)?

I set it up this way, Don. (The last few lines are the magic. The first
part shows how I delete the rules when rebuilding the firewall.)
--8<--
...<Some rules above are not shown for brevity's sake>...
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
#
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z


#Configuring specific CHAINS for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP

...<Below here the firewall is constructed in stages>...
--8<--

Now, what I wish I could do is have that drop and log it rule include
a variable line number parameter.... Ah well. IPTables is diseased for
lack of line number reporting in its log messages. That is a SERIOUS
lack, IMAO.

{^_^}

More information about the users mailing list