qanopus |
06-25-2004 09:21 AM |
outputting firewall messages to a file instead if stdout
Hi, I just setuped my firewall. Installed iptables, recompiled my kernel and build additional modules... you know the workes. The good news is the firewall actually workes, but it outputs messages directly to my console fludding it and thus rendering it effectivelly useless. Not good!!!
Here is the script I use to get my firewall up and running on every boot:
Code:
#!/bin/sh
# Begin $rc_base/init.d/firewall
case "$1" in
start)
echo "starting firewall..."
# Insert connection-tracking modules (not needed if built into the
# kernel).
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
# allow local-only connections
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service (equal to -P
# ACCEPT)
/usr/sbin/iptables -A OUTPUT -j ACCEPT
# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log everything else: What's Windows' latest exploitable
# vulnerability?
/usr/sbin/iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# set a sane policy: everything not accepted > /dev/null
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT DROP
# be verbose on dynamic ip-addresses (not needed in case of static
# IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still
# ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
;;
stop)
echo "stopping firewall..."
# deactivate IP-Forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -Z
/usr/sbin/iptables -F
/usr/sbin/iptables -X
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
#unload the modules
rmmod iptable_filter
rmmod ipt_state
rmmod ipt_LOG
rmmod ip_tables
rmmod ip_conntrack_ftp
rmmod ip_conntrack
;;
restart)
$0 stop
/bin/sleep 1
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
I wrote this my self, with much help from the linux from scratch book. How should I change this so that the firewall output is redirected to a file insted of the standard output???
Any help is appriciated, thanks.
|