Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to log crackers with ipchains?
- Thread starter haux
- Start date
#/bin/sh
#example webserver and ftp
#globals
trusted="netblock or trusted hosts"
ourbox="server address"
ipchains -F
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY
(standalone machine)
ipchains -A input -s ! $trusted -d $ourbox -p tcp --dport 80 -j ACCEPT -l
ipchains -A input -s ! $trusted -d $ourbox -p tcp --dport 20:21 -j ACCEPT -l
ipchains -A input -s ! $trusted -d $ourbox -p udp --dport 20:21 -j ACCEPT -l
Happy Holidays.
#example webserver and ftp
#globals
trusted="netblock or trusted hosts"
ourbox="server address"
ipchains -F
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY
(standalone machine)
ipchains -A input -s ! $trusted -d $ourbox -p tcp --dport 80 -j ACCEPT -l
ipchains -A input -s ! $trusted -d $ourbox -p tcp --dport 20:21 -j ACCEPT -l
ipchains -A input -s ! $trusted -d $ourbox -p udp --dport 20:21 -j ACCEPT -l
Happy Holidays.
- Thread starter
- #3
- Thread starter
- #4
I had made a test with a machine with kernel2.4 (iptables), i have seen the logs in the /var/log/messages (made by kernel), but with our firewall (kernel 2.4) the option "-l" was always there, but no logs in the /var/log/messages
I suppose that, it is the configuration of the syslog deamon, can somebody tell me an idea because i am lost
(
I suppose that, it is the configuration of the syslog deamon, can somebody tell me an idea because i am lost
(Hi,
With iptables the logging is different to ipchains. For example, you might have something like this to LOG and DROP all other tcp traffic after your ACCEPT rules :
/sbin/iptables -A INPUT -i eth0 -p tcp -j LOG --log-prefix "TCP-IN: "
/sbin/iptables -A INPUT -i eth0 -p tcp -j DROP
/sbin/iptables -A OUTPUT -o eth0 -p tcp -j LOG --log-prefix "TCP-OUT: "
/sbin/iptables -A OUTPUT -o eth0 -p tcp -j DROP
Basically, you have two rules instead of one for each logging. The first one would do the logging and the second one would perform that actual filtering - DROP or ACCEPT, etc. The --log-prefix parameter is something you can use to customise log entries for easier analysis. You can also use --log-level if you like. You also need to load the LOG module if it isn't already loaded :
/sbin/modprobe ipt_LOG
Hope this helps
With iptables the logging is different to ipchains. For example, you might have something like this to LOG and DROP all other tcp traffic after your ACCEPT rules :
/sbin/iptables -A INPUT -i eth0 -p tcp -j LOG --log-prefix "TCP-IN: "
/sbin/iptables -A INPUT -i eth0 -p tcp -j DROP
/sbin/iptables -A OUTPUT -o eth0 -p tcp -j LOG --log-prefix "TCP-OUT: "
/sbin/iptables -A OUTPUT -o eth0 -p tcp -j DROP
Basically, you have two rules instead of one for each logging. The first one would do the logging and the second one would perform that actual filtering - DROP or ACCEPT, etc. The --log-prefix parameter is something you can use to customise log entries for easier analysis. You can also use --log-level if you like. You also need to load the LOG module if it isn't already loaded :
/sbin/modprobe ipt_LOG
Hope this helps
- Status
