LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-21-2008, 11:53 PM   #1
emdcyco
LQ Newbie
 
Registered: Jul 2008
Posts: 4

Rep: Reputation: 0
Cool need some help with iptables


Hello everyone, i am new to the forums and to the world of linux.

I've been trying to learn iptables, and came up with the following rules, and i am wondering if they seem okay, is there anything out of place/not needed, and would appreciate some insights.

I am using NAT to share the internet between my windows pc in house.

The code is right here:

Code:
# Generated by iptables-save v1.4.0 on Mon Jul 21 22:32:43 2008
*nat
:PREROUTING ACCEPT [8745:413359]
:POSTROUTING ACCEPT [153:9795]
:OUTPUT ACCEPT [153:9795]
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 21 22:32:43 2008
# Generated by iptables-save v1.4.0 on Mon Jul 21 22:32:43 2008
*filter
:INPUT DROP [4371:217374]
:FORWARD ACCEPT [8:420]
:OUTPUT ACCEPT [1768:165707]
:FIREWALL - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "Firewall: "
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -j FIREWALL
-A INPUT -j FIREWALL
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FIREWALL -m limit --limit 10/min -j LOG --log-prefix "Firewall: "
-A FIREWALL -j DROP
COMMIT
# Completed on Mon Jul 21 22:32:43 2008
# Generated by iptables-save v1.4.0 on Mon Jul 21 22:32:43 2008
*mangle
:PREROUTING ACCEPT [10544:1041845]
:INPUT ACCEPT [10389:1009007]
:FORWARD ACCEPT [155:32838]
:OUTPUT ACCEPT [1768:165707]
:POSTROUTING ACCEPT [1923:198545]
COMMIT
# Completed on Mon Jul 21 22:32:43 2008
I am not sure if the line "-A INPUT -j LOG --log-prefix "Firewall: " " is correct or not or if its needed (logging works fine but i think its due to my FIREWALL chain)

Also how would i be able to log to a certain file instead of messages.log
I looked around and found that this would be enable logging to a certain file, but it doesnt seem to work. (I am using ArchLinux btw)

Code:
#
# /etc/syslog-ng.conf
#

options {
  sync (0);
  time_reopen (10);
  log_fifo_size (1000);
  long_hostnames(off); 
  use_dns (no);
  use_fqdn (no);
  create_dirs (no);
  keep_hostname (yes);
  perm(0640);
  group("log");
};

source src {
  unix-stream("/dev/log");
  internal();
  file("/proc/kmsg");
};

destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog.log"); };
destination cron { file("/var/log/crond.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kernel { file("/var/log/kernel.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
destination mail { file("/var/log/mail.log"); };
destination news { file("/var/log/news.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination debug { file("/var/log/debug.log"); };
destination messages { file("/var/log/messages.log"); };
destination errors { file("/var/log/errors.log"); };
destination everything { file("/var/log/everything.log"); };
destination iptables { file("/var/log/iptables.log"); };
destination acpid { file("/var/log/acpid.log"); };
destination console { usertty("root"); };

# Log everything to vc12
destination console_all { file("/dev/vc/12"); };

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { program(syslog-ng); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kernel { facility(kern) and not match("IPT"); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_news { facility(news); };
filter f_ppp { facility(local2); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not match("IPT"); };
filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err) and not match("IPT"); };
filter f_iptables { match("IPT"); };
filter f_acpid { match("acpid"); };

log { source(src); filter(f_acpid); destination(acpid); flags(final); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kernel); destination(kernel); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_news); destination(news); };
log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
#log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_err); destination(errors); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_everything); destination(everything); };
log { source(src); filter(f_iptables); destination(iptables); };

# Log everything to vc12
#log { source(src); destination(console_all); };
Any help or insight would be much appreciated.
 
Old 07-22-2008, 04:11 PM   #2
emdcyco
LQ Newbie
 
Registered: Jul 2008
Posts: 4

Original Poster
Rep: Reputation: 0
can anyone give me some insights on if its setup okay?
 
Old 07-22-2008, 04:43 PM   #3
Samotnik
Member
 
Registered: Jun 2006
Location: Belarus
Distribution: Debian GNU/Linux testing/unstable
Posts: 471

Rep: Reputation: 40
Is it working? Than it's correct. If it's not, than ask your questions.

Last edited by Samotnik; 07-22-2008 at 04:44 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 06:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 03:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration