Configure iptables to not log certain hits

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My Fedora Core 4 firewall logs are filled with annoying attempts
to find an open ports 1026 or 1027. Evidently, they are looking
for unpatched MS IIS servers, which they obviously won't find on
my machine. I would like to stop the logging of their pings. Here
are the options I'm considering:

1. Create a script that would parse my firewall logs for IP
addresses that ping my computer for these ports, then modify the
routing table with a command such as this:

route add -host reject

Doing this would certainly stop their ping attempts, but it also
eliminates all communication with that IP address, such as http
(port 80). Perhaps this is the reason that the manpage
discourages using the routing table as a super-strength firewall.

2. Create a script similar to, which parses firewall
logs for ssh login attempts, then uses the DenyHosts
configuration to decide which IP addresses to add to the
/etc/hosts.deny file. In my script, I would parse firewall logs
for IPs that tried to ping me at ports 1026 or 1027, then add
them to /etc/hosts.deny. I do not believe this will stop the log
entries from being made because hosts.deny is consulted only when
an xinet-controlled program is initiated, such as ssh, ftp, etc.

3. Add an iptables command that stops logging events that relate
to port 1026 or 1027. This option appeals to me, but I have one
concern. Supposed an authorized person uses  scp  to copy files
to/from my machine, and in the process is assigned port 1027 to
form the secure connection. Unless carefully crafted, the
iptables command could result in  scp  connections not being logged.

So, here are my questions:

1. What iptables command should I use to block the log entries?
Bear in mind that I'm a newbie when it comes to manipulating
netfilter with the  iptables  command.

2. Is there a way to prevent programs like  scp  from choosing a
specific port range when establishing a connection?

Re: Configure iptables to not log certain hits

Quoted text here. Click to load it

Netfilter doesn't automatically log anything AFAIK. You must have a line in
one of your chains that is doing the logging. i.e has a -j LOG on the end.
Amend that rule so it doesn't match the packets you don't want to be
logged. You can also do other stuff like applying rate limits so your log
files don't get too big fast.


Re: Configure iptables to not log certain hits

do this:
you might want to add this to an startup script or firewall ruleset at
start time:

if you want to block icmp (ping) [ this one blocks ALL icmp, nobody can
ping your box]

iptables -t filter -A INPUT -p icmp -j DROP

(if you want to block probes on a desired port)
iptables -t filter -A INPUT -p icmp --dport 1025:1206 -j DROP
iptables -t filter -A INPUT -p tcp --dport 1025:1206 -j DROP
iptables -t filter -A INPUT -p udp --dport 1025:1206 -j DROP

this blocks TCP,UDP, and ICMP packets to those ports..

you might also do something nice... BLOCK everything... nothing goes
in, then you start adding rules to allow traffic

This is an example:
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
   # Also protects against IP spoofing

SYSCTLW="/sbin/sysctl -q -w"

$SYSCTLW net.ipv4.conf.all.rp_filter=1

# Enable logging of packets with malformed IP addresses,
# Disable redirects,
# Disable source routed packets,
# Disable acceptance of ICMP redirects,
# Turn on protection from Denial of Service (DOS) attacks,
# Disable responding to ping broadcasts,
# Enable IP routing. Required if your firewall is protecting a network,
NAT included

   $SYSCTLW net.ipv4.conf.all.log_martians=1
   $SYSCTLW net.ipv4.conf.all.send_redirects=0
   $SYSCTLW net.ipv4.conf.all.accept_source_route=0
   $SYSCTLW net.ipv4.conf.all.accept_redirects=0
   $SYSCTLW net.ipv4.tcp_syncookies=1
   $SYSCTLW net.ipv4.icmp_echo_ignore_broadcasts=1
   $SYSCTLW net.ipv4.ip_forward=1
# Firewall initialization, remove everything, start with clean tables
$IPTABLES -F      # remove all rules
$IPTABLES -X      # delete all user-defined chains

$IPTABLES -P INPUT DROP # change Policies
$IPTABLES -P FORWARD    # change Policies

# allow everything for loop device

# Allow previously established connections

for PORT in 22; do
$IPTABLES -A INPUT -p tcp --dport $PORT -j ACCEPT

# Create a chain for logging all dropped packets
$IPTABLES -A LOG_DROP -j LOG --log-prefix "Attack log: "

$IPTABLES -A INPUT -j LOG_DROP    # drop all incomming
$IPTABLES -A FORWARD -j LOG_DROP  # drop all forwarded

Re: Configure iptables to not log certain hits

Quoted text here. Click to load it

This works... as long as you _always_ use this script after a boot or a
restart.  There are times when one, or the other, of these services can
be restarted (rpm can do this) without your really knowing about it.  In
the long run it's better to put the settings where they go rather than
mixing them together.

The sysctl changes should be placed into '/etc/sysctl.conf' in order for
them to be persistant.  After you change the file, run the command
'sysctl -np' to activate them.  While your in that config file,
add/confirm that you have lines something like...

# Anti-spoofing blocks
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Ensure source routing is OFF
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
# Ensure TCP SYN cookies protection is enabled
net.ipv4.tcp_syncookies = 1
# Establish better keepalive values
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_time = 600
# Ensure ICMP redirects are disabled
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
# Ensure oddball addresses are logged
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.all.log_martians = 0
# Control wild ICMP traffic
net.ipv4.icmp_ratelimit = 100
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

After you have your netfilter rules as you like them (that script is a
good approach/starting point), you should make them persistant with a
command like '/etc/init.d/iptables save'

The last point I should touch on is that iptables modules should be
added to '/etc/sysconfig/iptables-config'.  (name may vary from distro
to distro) If you are running a nat firewall, then you may want to
change your config to have a line like

IPTABLES_MODULES="ip_conntrack_ftp ip_nat_ftp ip_nat_irc"

Hope that helps

Bradley W. Olin                          "do or do not, there is no try" Yoda

Site Timeline