logging iptables

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Just starting with iptables to protect a bastion host.

I start with disabling everything for the INPUT, FORWARD and OUTPUT
chain by defining a general and restrictive DROP policy:

  # R=E8gles par d=E9faut
    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT ACCEPT

Then, I open what is needed for the services running on the host.

At this stage, I would like to check for all false positive. How can I
log all IP packets rejected by the general DROP policy?

That policy selector does not accept LOG as target.

Re: logging iptables

ripat wrote:
Quoted text here. Click to load it

You have to include the LOG rule as the last rule in
INPUT and FORWARD chains. The packets ending at the
policy rule will drop off the end of the chain. If
you have a logging rule matching all packets come
so far, you'll have the packets logged.



Tauno Voipio
tauno voipio (at) iki fi

Re: logging iptables

I suggest you flush any rule and remove any user defined chains at the
beginning of your firewall script, before setting the policies.

sth. like this:

# A Sample
# remove any user-defined chains
iptables -X
# flush all the rules
iptables -F

# now set the policies
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

# and log everything that got drops
# if you add something to the INPUT and FORWARD chains then, make sure
these two
# rules are at the end of these chains
iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT DROP --"
iptables -A FORWARD -j LOG --log-level debug --log-prefix "FWD DROP --"

the script above makes it log everything before reaching the default
policy in INPUT and FORWARD chains.

Hope it helps
Mehdi Sarmadi

Re: logging iptables

I only posted a portion of my iptables script. I do flush all rules
before I start defining rules.

But your post was useful as I didn't know one could flush the user
rules as well.

Thanks Mehdi.

Re: logging iptables

That was exactly it!

I think I start to understand why it was called ipchains before!

Thanks a lot.

JL Lacroix.

Site Timeline