| Linux | Security | Debian | Slax | Tiny Core | Health |
|
Iptables 1 Iptables 3 Iptables 4 Iptables 9 Erase Everything from a Hard Drive |
Iptables 5LoggingYou have a firewall, but how do you know what is coming into the computer, or what is being dropped. If something won't work, how do you know what needs to be allowed into the computer to make it work. This information can be obtained from logs. Following are examples which tell Iptables to log just some of the packets coming into the computer, and going out of the computer. If all of them are logged, there will be many thousands, just in one session on the internet. However, everything that is dropped will be logged. You may modify these examples. Insert the line:
This tells Iptables to add a rule matching 2 packets per minute, and logging them, with the prefix 'In2/m.' You may change the "-m limit --limit 2/min" to any rate you want. You may also leave it out and log them all. You may change the prefix 'In2/m ' to any name you want. You may change the log level to any level you want. The levels are, 0 emerg, 1 alert, 2 crit, 3 err, 4 warning, 5 notice, 6 info, 7 debug. You can use the number or the word in the rule. You may notice "In2/m" is written without any spaces in the middle. If you copy and paste the logs to a spreadsheet, this will keep it in one column. There is also a space between "In2/m" and the last quotation mark. This will keep it separate from the next column if you copy and paste the log to a spreadsheet. With each packet that comes into the computer, Iptables goes through the rules in the order they are written until it finds a rule applicable to that package. It is dealt with as determined by that rule, and Iptables is finished with it. The exception is logging. After the information is logged, Iptables continues through the list of rules to find another applicable rule, to determine what to do with the package. Where do you insert this line? If you insert it before the loopback line, it will log everything, including loopback. If you insert it after the loopback line, Iptables will be finished with loopback, so it will not log loopback. As you are concerned about things coming into the computer from outside, it is not necessary to log loopback. So insert it after the loopback line. Add the next one:
This line needs to be placed so it logs everything coming in that is dropped. It needs to be inserted just before the line which says "iptables -A INPUT -j DROP." Everything else coming in has been dealt with, the only things left at this point are things which will be dropped. But before they are dropped, they will be logged. Notice this line does not have a limit of 2 per minute like the previous one, so it will log everything which is dropped. Let's log the output. Insert the Line:
Where do you insert this line? It needs to go before the one which says "iptables -A OUTPUT -j ACCEPT." If you put it after that line, everything would have already been accepted, and there would be nothing to log. As the main security concern is what is coming in, this only logs 6 per hour of what is going out. You may change this to any rate. The way the rules are so far, loopback will not be logged on the input chain, but it will be logged on the output chain. To prevent loopback from being logged on the output chain, add another rule
Where do you put this line? Make it the first line in the OUTPUT. It is also a good idea to log and drop any invalid packets. Hackers try many methods to access computers, one is to send invalid packets. If they are not mentioned in the rules, your computer may be vulnerable. Add two more lines:
Where do you put these lines? Right at the beginning. You should now have:
This can now be copied and pasted to the Root Terminal. When you access the internet, you will now log information about the packets coming in, and going out from your computer. Where are they being logged? They are being logged, with other things, and can be found in files in the /var/log directory. Let's have your own file for these logs, so they are easy to find. To have one, add a line to "/etc/syslog.conf." Open the file "/etc/syslog.conf" with a Root Text Editor. Add the line:
You may use tabs instead of the space after "warning" so it lines up with the other rules, if you want. If you have used a different log level in your Iptables rules, you must use that log level here. Use the word, not the number. Save the file. Restart the computer for this to take effect. Reading LogsLogs can now be viewed by opening the file "/var/log/iptables.log." You can do this with a Text Editor. You can read the logs as they are, or copy and paste them to a spreadsheet. On a spreadsheet you can sort them, and do many other things with them. Source and DestinationWhen writing Iptables rules, any rule in the INPUT referring to an IP address should have "-s" for "source" before it, and any rule referring to a port should have "--sport" for "source port" before it. Any rule in the OUTPUT referring to an IP address should have "-d" for "destination" before it, and any rule referring to a port should have "--dport" for "destination port" before it. When you look at logs, you will see "SPT=" followed by the source port number, and "DPT=" followed by the destination port number. When reading logs, only be concerned with the destination port, as that determines where the packet is sent. After looking at your logs, you may want to ALLOW or DROP something being sent to you through a certain destination port. The destination port of the sender, is the same as the source port of the receiver. So you need to make a rule using "--sport" for "source port," to ALLOW or DROP something being sent to you through a certain destination port. If you use "--dport" in INPUT rules, your firewall will not drop packets coming from those ports. ICMP ProtocolYou may notice, ICMP protocol does not have port numbers. © Copyright Guy Shipard 2008 - 2009 |