logging iptables - Security

This is a discussion on logging iptables - Security ; Just starting with iptables to protect a bastion host. I start with disabling everything for the INPUT, FORWARD and OUTPUT chain by defining a general and restrictive DROP policy: # Règles par défaut iptables -t filter -P INPUT DROP iptables ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: logging iptables

  1. logging iptables

    Just starting with iptables to protect a bastion host.

    I start with disabling everything for the INPUT, FORWARD and OUTPUT
    chain by defining a general and restrictive DROP policy:

    # Règles par défaut
    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT ACCEPT

    Then, I open what is needed for the services running on the host.

    At this stage, I would like to check for all false positive. How can I
    log all IP packets rejected by the general DROP policy?

    That policy selector does not accept LOG as target.


  2. Re: logging iptables

    ripat wrote:
    > Just starting with iptables to protect a bastion host.
    >
    > I start with disabling everything for the INPUT, FORWARD and OUTPUT
    > chain by defining a general and restrictive DROP policy:
    >
    > # Règles par défaut
    > iptables -t filter -P INPUT DROP
    > iptables -t filter -P FORWARD DROP
    > iptables -t filter -P OUTPUT ACCEPT
    >
    > Then, I open what is needed for the services running on the host.
    >
    > At this stage, I would like to check for all false positive. How can I
    > log all IP packets rejected by the general DROP policy?
    >
    > That policy selector does not accept LOG as target.



    You have to include the LOG rule as the last rule in
    INPUT and FORWARD chains. The packets ending at the
    policy rule will drop off the end of the chain. If
    you have a logging rule matching all packets come
    so far, you'll have the packets logged.

    HTH

    --

    Tauno Voipio
    tauno voipio (at) iki fi

  3. Re: logging iptables

    I suggest you flush any rule and remove any user defined chains at the
    beginning of your firewall script, before setting the policies.

    sth. like this:

    # A Sample
    #
    # remove any user-defined chains
    iptables -X
    # flush all the rules
    iptables -F

    # now set the policies
    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT ACCEPT

    # and log everything that got drops
    # if you add something to the INPUT and FORWARD chains then, make sure
    these two
    # rules are at the end of these chains
    iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT DROP --"
    iptables -A FORWARD -j LOG --log-level debug --log-prefix "FWD DROP --"

    ===
    the script above makes it log everything before reaching the default
    policy in INPUT and FORWARD chains.

    Hope it helps
    --
    Mehdi Sarmadi


  4. Re: logging iptables

    That was exactly it!

    I think I start to understand why it was called ipchains before!

    Thanks a lot.

    JL Lacroix.


  5. Re: logging iptables

    I only posted a portion of my iptables script. I do flush all rules
    before I start defining rules.

    But your post was useful as I didn't know one could flush the user
    rules as well.

    Thanks Mehdi.


+ Reply to Thread