Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] iptables : logging dropped packets
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Thu Sep 23, 2010 5:02 am    Post subject: [solved] iptables : logging dropped packets Reply with quote

Hi there,
I've got a general question: how to make iptables log all packets, that have been dropped? As far as I know, the default policy can only either be ACCEPT or QUEUE or DROP or RETURN (my script drops all packets that don't match one of my rules).
I tried to append the following rules at the end of my script, but with them, iptables logged _all_ packets.
Code:
iptables -A INPUT -j LOG --log-prefix "iptables - INPUT: "
iptables -A INPUT -j DROP
iptables -A OUTPUT -j LOG --log-prefix "iptables - OUTPUT: "
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j LOG --log-prefix "iptables - FORWARD: "
iptables -A FORWARD -j DROP


All I need is something like a default policy - if a packet is not handled by any of my rules, I want it to be logged and dropped. I'm sure that this is no complicated thing, but I just don't get it.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)


Last edited by Jimini on Fri Sep 24, 2010 6:44 am; edited 1 time in total
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Thu Sep 23, 2010 6:00 am    Post subject: Reply with quote

well, you did it the right way. Strange it doesn't work for you.

Are you sure those rules really appear as the last one of each chain in iptables-save?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Thu Sep 23, 2010 6:25 am    Post subject: Reply with quote

I tested my modified script again, but iptables still seems to log everything - yesterday I forgot to comment the new rules out and after 12 hours, I had about 120000 new lines in my logfile.
Code:
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=212.50.93.30 DST=MY_IP LEN=353 TOS=0x00 PREC=0x00 TTL=115 ID=10540 PROTO=UDP SPT=43198 DPT=51413 LEN=333
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=83.46.166.228 DST=MY_IP LEN=126 TOS=0x00 PREC=0x00 TTL=112 ID=3947 PROTO=UDP SPT=15657 DPT=51413 LEN=106
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=188.20.6.30 DST=MY_IP LEN=95 TOS=0x00 PREC=0x00 TTL=116 ID=42874 PROTO=UDP SPT=53973 DPT=51413 LEN=75
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=58.54.191.252 DST=MY_IP LEN=126 TOS=0x00 PREC=0x00 TTL=114 ID=5769 PROTO=UDP SPT=15990 DPT=51413 LEN=106
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=109.165.231.254 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=116 ID=9127 PROTO=UDP SPT=25763 DPT=51413 LEN=111
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=41.204.136.88 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=23833 PROTO=UDP SPT=17615 DPT=51413 LEN=111
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.169.173.201 DST=MY_IP LEN=134 TOS=0x00 PREC=0x00 TTL=118 ID=4620 PROTO=UDP SPT=51869 DPT=51413 LEN=114
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=98.229.187.247 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=6569 PROTO=UDP SPT=54098 DPT=51413 LEN=111
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=91.65.234.187 DST=MY_IP LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=52143 DF PROTO=TCP SPT=10251 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=91.65.234.187 DST=MY_IP LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=52523 DF PROTO=TCP SPT=10251 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=173.244.214.166 DST=MY_IP LEN=40 TOS=0x00 PREC=0x00 TTL=98 ID=36900 PROTO=TCP SPT=80 DPT=49239 WINDOW=65535 RES=0x00 ACK SYN URGP=0
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=220.173.123.121 DST=MY_IPLEN=126 TOS=0x00 PREC=0x00 TTL=112 ID=45623 PROTO=UDP SPT=13106 DPT=51413 LEN=106
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=67.175.110.73 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=113 ID=12931 PROTO=UDP SPT=32204 DPT=51413 LEN=111
iptables - FORWARD: IN=eth1 OUT=eth0 SRC=10.0.0.2 DST=94.228.210.41 LEN=263 TOS=0x00 PREC=0x00 TTL=63 ID=41029 DF PROTO=TCP SPT=40930 DPT=2710 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=213.67.147.20 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=4534 PROTO=UDP SPT=62803 DPT=51413 LEN=111


iptables-save:
Code:
# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010
*security
:INPUT ACCEPT [159942531:42084578692]
:FORWARD ACCEPT [1400846537:768955115177]
:OUTPUT ACCEPT [234867474:266999892698]
COMMIT
# Completed on Thu Sep 23 08:05:26 2010
# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010
*raw
:PREROUTING ACCEPT [1294660393:689687978973]
:OUTPUT ACCEPT [136441918:170830348724]
COMMIT
# Completed on Thu Sep 23 08:05:26 2010
# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010
*nat
:PREROUTING ACCEPT [15:1392]
:POSTROUTING ACCEPT [2:108]
:OUTPUT ACCEPT [4:276]
-A PREROUTING -i eth0 -p udp -m udp --dport 20534 -j DNAT --to-destination 10.0.0.2:20534
-A PREROUTING -i eth0 -p tcp -m tcp --dport 20530 -j DNAT --to-destination 10.0.0.2:20530
-A PREROUTING -i eth0 -p tcp -m tcp --dport 9999 -j DNAT --to-destination 10.0.0.2:9999
-A PREROUTING -i eth0 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413
-A PREROUTING -s 10.0.0.0/24 -d 10.0.0.1/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.0.1:10101
-A PREROUTING -s X.X.8.5/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.0.1:10101
-A PREROUTING -s X.X.184.67/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.0.1:10101
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Sep 23 08:05:26 2010
# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010
*mangle
:PREROUTING ACCEPT [603:335223]
:INPUT ACCEPT [89:6923]
:FORWARD ACCEPT [514:328300]
:OUTPUT ACCEPT [47:4903]
:POSTROUTING ACCEPT [542:309317]
COMMIT
# Completed on Thu Sep 23 08:05:26 2010
# Generated by iptables-save v1.4.6 on Thu Sep 23 08:05:26 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:OUTPUTROP - [0:0]
:fail2ban-SSH - [0:0]
-A INPUT -s X.X.160.30/32 -j DROP
-A INPUT -s 10.0.0.0/24 -i eth1 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/24 -i eth1 -p udp -m udp --dport 631 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT
-A INPUT -s 10.0.0.0/24 -i eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -s 10.0.0.0/24 -i eth1 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6667 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6668 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8033 -m state --state NEW -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10101 -m state --state NEW -j ACCEPT
-A INPUT -s 10.0.0.0/24 ! -i eth1 -j DROP
-A INPUT -s 127.0.0.1/32 ! -i lo -j DROP
-A INPUT -s X.X.144.59/32 ! -i eth0 -j DROP
-A INPUT -s 10.0.0.0/24 ! -i eth1 -j LOG --log-prefix "iptables - SPOOFING eth1: "
-A INPUT ! -s 10.0.0.0/24 ! -i eth0 -j LOG --log-prefix "iptables - SPOOFING eth0: "
-A INPUT -j LOG --log-prefix "iptables - INPUT: " --log-level 5
-A INPUT -j DROP
-A FORWARD -d X.X.160.30/32 -j DROP
-A FORWARD -p udp -m udp --dport 20534 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 20530 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 9999 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 51413 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -i eth1 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A FORWARD -s 10.0.0.0/24 ! -i eth1 -j DROP
-A FORWARD -s 127.0.0.0/32 ! -i lo -j DROP
-A FORWARD -s 1.0.0.0/32 ! -i lo -j DROP
-A FORWARD -s X.X.144.59/32 ! -i eth0 -j DROP
-A FORWARD -s 10.0.0.0/24 ! -i eth1 -j LOG --log-prefix "iptables - SPOOFING eth1: "
-A FORWARD ! -s 10.0.0.0/24 ! -i eth0 -j LOG --log-prefix "iptables - SPOOFING eth0: "
-A FORWARD -j LOG --log-prefix "iptables - FORWARD: " --log-level 5
-A FORWARD -j DROP
-A OUTPUT -d X.X.160.30/32 -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.0.0.0/24 -o eth1 -p udp -m udp --dport 631 -m state --state NEW -j ACCEPT
-A OUTPUT -d X.X.186.130/32 -o eth0 -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT
-A OUTPUT -d 10.0.0.0/24 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -d X.X.58.13/32 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -d X.X.100.175/32 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -d X.X.91.35/32 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A OUTPUT -d 10.0.0.0/24 -o eth1 -p tcp -m tcp --dport 5001 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6667 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6668 -m state --state NEW -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -d X.X.249.201/32 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A OUTPUT -d X.X.249.102/32 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A OUTPUT -d X.X.10.46/32 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A OUTPUT -d X.X.34.228/32 -o eth0 -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A OUTPUT -d 10.0.0.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A OUTPUT -j LOG --log-prefix "iptables - OUTPUT: " --log-level 5
-A OUTPUT -j DROP
COMMIT
# Completed on Thu Sep 23 08:05:26 2010


I hope this output helps you.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Thu Sep 23, 2010 9:35 am    Post subject: Reply with quote

Jimini wrote:
Code:
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=212.50.93.30 DST=MY_IP LEN=353 TOS=0x00 PREC=0x00 TTL=115 ID=10540 PROTO=UDP SPT=43198 DPT=51413 LEN=333
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=83.46.166.228 DST=MY_IP LEN=126 TOS=0x00
...
iptables - FORWARD: IN=eth1 OUT=eth0 SRC=10.0.0.2 DST=94.228.210.41 LEN=263 TOS=0x00 PREC=0x00 TTL=63 ID=41029 DF PROTO=TCP SPT=40930 DPT=2710 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=213.67.147.20 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=4534 PROTO=UDP SPT=62803 DPT=51413 LEN=111


This doesn't look like like “all traffic” to me, Check if this is legitimate traffic or not, it's UDP only it seems, so may be something like skype?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Thu Sep 23, 2010 10:05 am    Post subject: Reply with quote

Code:
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=212.50.93.30 DST=MY_IP LEN=353 TOS=0x00 PREC=0x00 TTL=115 ID=10540 PROTO=UDP SPT=43198 DPT=51413 LEN=333

Bittorrent

Code:
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=83.46.166.228 DST=MY_IP LEN=126 TOS=0x00 ...

Can't figure out what this is.

Code:
iptables - FORWARD: IN=eth1 OUT=eth0 SRC=10.0.0.2 DST=94.228.210.41 LEN=263 TOS=0x00 PREC=0x00 TTL=63 ID=41029 DF PROTO=TCP SPT=40930 DPT=2710 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0

I assume this is my edonkey-client.

Code:
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=213.67.147.20 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=4534 PROTO=UDP SPT=62803 DPT=51413 LEN=111

Bittorrent

The lines from my log I quoted above were just an example. Most of them only show (wanted) traffic from or to 10.0.0.2:51413.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Thu Sep 23, 2010 3:47 pm    Post subject: Reply with quote

Jimini wrote:
Code:
iptables - INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=213.67.147.20 DST=MY_IP LEN=131 TOS=0x00 PREC=0x00 TTL=117 ID=4534 PROTO=UDP SPT=62803 DPT=51413 LEN=111

Bittorrent

The lines from my log I quoted above were just an example. Most of them only show (wanted) traffic from or to 10.0.0.2:51413.


From what I can see, the log only shows DROP traffic even if this is wanted traffic. If I take this UDP traffic to the DPT 51413 I don't see it ACCEPTed anywhere in the INPUT chain, but I do see some TCP rules for this port ;) (PREROUTING & FORWARD)
_________________
The End of the Internet!


Last edited by truc on Fri Sep 24, 2010 5:48 am; edited 1 time in total
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Thu Sep 23, 2010 7:21 pm    Post subject: Reply with quote

These are the rules for Bittorrent:
Code:
iptables -I FORWARD -p tcp --dport 51413 -j ACCEPT
iptables -t nat -I PREROUTING -i $wan -p tcp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413

But as far as I know, I don't need an INPUT-rule for this traffic, because the client can connect without any problems. Or am I misunderstanding you?

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15641

PostPosted: Fri Sep 24, 2010 2:39 am    Post subject: Reply with quote

You misunderstand truc. The point was that the traffic you say is being improperly logged is UDP, but your rules only match TCP for those ports. Thus, truc stated that the traffic being logged is not matched by any of your rules and it is proper that it is being logged. Your posts indicate that it is not your intention to log this, and presumably also not your intention to DROP it, but the rules you have shown do log it and do drop it.
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 594
Location: Germany

PostPosted: Fri Sep 24, 2010 6:44 am    Post subject: Reply with quote

Ah, now I got it. That explains why my syslog got more than one new entry per second. I corrected my script and now it seems to work as it is supposed to, great! Sincere thanks to you two.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum