Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
syslog.conf:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.* /var/log/allkern
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
kern.=debug -/var/log/bandwidth
### Send kern.info messages to psadfifo for analysis by kmsgsd
kern.info |/var/lib/psad/psadfifo
kern.3 /var/log/iptables #tried kern.=warning, doesn't help!!
My /var/log/iptables file is empty, and even /var/log/allkern doesn't have any iptables entries! Is it something to do with my sysctl settings? Below is my sysctl.conf file:
# Kernel sysctl configuration file for Red Hat Enterprise Linux
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
# Default should work for all interfaces
net.ipv4.conf.default.rp_filter = 1
# net.ipv4.conf.all.rp_filter = 1
# net.ipv4.conf.lo.rp_filter = 1
# net.ipv4.conf.eth0.rp_filter = 1
# Disables IP source routing
# Default should work for all interfaces
net.ipv4.conf.default.accept_source_route = 0
# net.ipv4.conf.all.accept_source_route = 0
# net.ipv4.conf.lo.accept_source_route = 0
# net.ipv4.conf.eth0.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Increase maximum amount of memory allocated to shm
# Only uncomment if needed!
# kernel.shmmax = 67108864
# Disable ICMP Redirect Acceptance
# Default should work for all interfaces
net.ipv4.conf.default.accept_redirects = 0
I think that the LOG is in the wrong place. The packets never make it to the LOG target (unless they've died).
Also, I assume this is a test machine (since the default policy is ACCEPT, and there seem to be few rules). Also, where is the Chain RH-Firewall-1-INPUT
Thanks for the fast reply. Actually this is a production machine. I only setup the firewall using the firewall utility that comes with RedHat (i.e. setup). I didn't want to disclose the open ports to the public so I didn't post the chain. Anyway here is the chain with some ports taken out:
Thanks for the fast reply. Actually this is a production machine. I only setup the firewall using the firewall utility that comes with RedHat (i.e. setup). I didn't want to disclose the open ports to the public so I didn't post the chain. Anyway here is the chain with some ports taken out:
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Did you find something wrong?
Ohhh...
To me, your Chains look backwards. As I understand it, the chain is parsed from top to bottom. So when a packet enters `INPUT', it jumps to `RH-Fire...'. The first rule says any packet, with any protocol, any source, and any destination, should immediately be accepted. It doesn't get a chance to see any of the elaborate rules you've built up. Maybe you are confusing `iptables -A' and `iptables -I' (the first appends, the second inserts).
Do you have multiple interfaces? If so, your rules might not be backwards as I see them. If so, please enter something like `iptables -nvL' (where the v causes the interface to be printed). If you are paranoid about anything, just xxx it out instead of deleting the line (unless you are certain it's not important).
I got the following by executing the "iptables -nvL" command. I do have 2 interfaces, eth0 and eth1. Only eth0 is used at the moment. I actually have not entered any iptables commands by myself. The following is all set up by running 'setup' and the Firewall Configuration utility that came with RHEL except I added the LOG part, which I read from psad setup guide. After all, I am trying to setup psad but apparently my iptables is not logging anything whatsoever~ :-(
Thanks for your help.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
104K 48M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
Chain OUTPUT (policy ACCEPT 118K packets, 111M bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
1651 4393K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 100 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
99178 43M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
22 1080 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
1622 77856 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
2 96 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
2 96 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
138 6756 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
323 16068 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
393 322K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
I got the following by executing the "iptables -nvL" command. I do have 2 interfaces, eth0 and eth1. Only eth0 is used at the moment. I actually have not entered any iptables commands by myself. The following is all set up by running 'setup' and the Firewall Configuration utility that came with RHEL except I added the LOG part, which I read from psad setup guide. After all, I am trying to setup psad but apparently my iptables is not logging anything whatsoever~ :-(
Thanks for your help.
Hi. I was wrong --- your script-generated rules are perfect (the first rule applies to the lo interface which I completely forgot about). But I'm still right about the first part --- your modified part of the rules is useless, since the packet will never get to the logging target. Unless you tell us what you did to get there, we cannot guess the problem. I have a feeling that you used iptables -A instead of iptables -I.
Next point: do you really want to log everything (or is this just a way to test your logging functionality). Generally, it is a good security practice to log only bad stuff, because otherwise it doesn't stand out against the rest. I don't quite remember psad (I used it once, only for port-knocking, which since can be implemented in iptables directly), but maybe it acts as a filter and requires the logging of every packet. Whatever the case, make sure to have disk quotas in place before putting this into production, since a slight change might cause logs to be overfilled, flooding your disk!
It seems that I didn't quite read "The rules above should be added at the end of the INPUT and FORWARD chains after all ACCEPT rules for legitimate traffic and just before a corresponding DROP rule for traffic that is not to be allowed through the policy." ....
osor, if what you said is true, I wouldn't need psad at all? Can you suggest a firewall script that I can use to protect my system? Thanks.
It seems that I didn't quite read "The rules above should be added at the end of the INPUT and FORWARD chains after all ACCEPT rules for legitimate traffic and just before a corresponding DROP rule for traffic that is not to be allowed through the policy." ....
osor, if what you said is true, I wouldn't need psad at all? Can you suggest a firewall script that I can use to protect my system? Thanks.
I'm not quite sure what you mean. Just a general explanation, iptables -A is correct only if you are issuing every command to create the chains from scratch. Since RHEL created a basic firewall ruleset, you can't just tack your rule on at the end (using append -A). In your case, you would have to put a log rule in the RH-Firewall-1-INPUT chain right before the REJECT rule (using insert -I).
To implement it as the documentation said, you would have to do
since the 14th rule down is where you want to be. Of course, if you wanted a permanent, production-quality example, you would hunt down the rule-generating script and put this in there (so you wouldn't have to change the 14 if you happened to add/delete a rule).
What do you mean when you say you do not want to use psad? What was your purpose of using it in the first place? AFAIK, psad is an intrusion detection system. It can do port-knocking as well. I happen to find using iptables easier, since there is one less level of indirection (and the knocking happens at kernel level). If all you need is port-knocking, then you can use netfilter. But before you throw away psad, you need a good foundation in the way netfilter works. Once you acquire that, you find you can do all sorts of unimaginable things! One of iptables' base modules is recent. This module can name specific connections and then check to see if they are recent (say within the last 10 seconds). This can be daisy-chained into a very flexible portknocking implementation, without the headache of keeping a daemon awake to parse through logs.
1. Blocking port scans
2. Blocking SSHD brute-forces
3. Blocking any other network intrusion attempts
I was looking for something that can do the job for me so I didn't have to look into all the details of iptables and netfilter myself, but such resources are very limited around. There are a few scripts flying around on the web but I don't know if they are good or not. So I found PSAD and decided to give it a try. Thanks for your help. Now I am looking at gShield... it seems pretty good?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
iptables not logging anything~
op3s 
