iptables and Logs.

hack3rcon · 12-04-2016, 07:55 AM

Hi.
I written below iptables rule:

Code:

iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

As you see it must create a log with the name "portscan:" but it must exist under "/var/log" ? When iptables blocked an IP then how can I unblock it?

Thank you.

Turbocapitalist · 12-04-2016, 08:12 AM

The --log-prefix applies to the log message not the log file name. So look in the file /var/log/syslog for lines with "portscan:" in the 9th or so column.

The --remove option corresponds to --rcheck and can remove an address from your block list. See man iptables-extensions for that.

Edit: you might consider --update instead of --rcheck, depending on your uses.

hack3rcon · 12-05-2016, 01:12 AM

Quote:

Originally Posted by Turbocapitalist

The --log-prefix applies to the log message not the log file name. So look in the file /var/log/syslog for lines with "portscan:" in the 9th or so column.

The --remove option corresponds to --rcheck and can remove an address from your block list. See man iptables-extensions for that.

Edit: you might consider --update instead of --rcheck, depending on your uses.

I have not "iptables-extensions".

$ sudo iptables-
iptables-apply iptables-restore iptables-save iptables-xml

Can you show me an example?

pan64 · 12-05-2016, 02:15 AM

iptables-extensions is not a command to execute, see man page as it was suggested.
can you google an example?

hack3rcon · 12-05-2016, 06:57 AM

Quote:

Originally Posted by pan64

iptables-extensions is not a command to execute, see man page as it was suggested.
can you google an example?

I guess commands are:

Code:

iptables -L INPUT -n --line-numbers
iptables -D INPUT number

OK?
My output is:

Code:

sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    REJECT     all  --  0.0.0.0/0            127.0.0.0/8          reject-with icmp-port-unreachable
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
6               tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
7    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: UPDATE seconds: 180 hit_count: 4 name: DEFAULT side: source mask: 255.255.255.255
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
9    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
10   LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
11   REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
12   DROP       all  --  0.0.0.0/0            0.0.0.0/0            recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
13              all  --  0.0.0.0/0            0.0.0.0/0            recent: REMOVE name: portscan side: source mask: 255.255.255.255
14   LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix "portscan:"
15   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255

Can it mean I have not any blocked IP?

Turbocapitalist · 12-05-2016, 07:11 AM

Using -L shows which rules are in effect. Only if there are rules that explicitly apply to particular IP addresses or netblocks will -D help. You indicate that you are using -m recent to dynamically create a list of addresses. Those addresses won't be listed by -L, but they can be found in /proc/net/xt_recent/ in a file named after your list, which you show as "portscan". If you look inside that file, you'll see your addresses. However, I don't know the right way to access that list or modify it. The documentation for "iptables" beyond the manual pages is a bit awkward and the manual pages are in need of polishing.

Edit: while looking for something else, I stumbled across this in the manual page for iptables-extensions

Code:

       Each  file  in /proc/net/xt_recent/ can be read from to see the current list or written two using the following commands to
       modify the list:

       echo +addr >/proc/net/xt_recent/DEFAULT
              to add addr to the DEFAULT list

       echo -addr >/proc/net/xt_recent/DEFAULT
              to remove addr from the DEFAULT list

       echo / >/proc/net/xt_recent/DEFAULT
              to flush the DEFAULT list (remove all entries).

Substitute the name of your list for "DEFAULT" there and you're set.

hack3rcon · 12-05-2016, 08:48 AM

Quote:

Originally Posted by Turbocapitalist

Using -L shows which rules are in effect. Only if there are rules that explicitly apply to particular IP addresses or netblocks will -D help. You indicate that you are using -m recent to dynamically create a list of addresses. Those addresses won't be listed by -L, but they can be found in /proc/net/xt_recent/ in a file named after your list, which you show as "portscan". If you look inside that file, you'll see your addresses. However, I don't know the right way to access that list or modify it. The documentation for "iptables" beyond the manual pages is a bit awkward and the manual pages are in need of polishing.

Edit: while looking for something else, I stumbled across this in the manual page for iptables-extensions

Code:

       Each  file  in /proc/net/xt_recent/ can be read from to see the current list or written two using the following commands to
       modify the list:

       echo +addr >/proc/net/xt_recent/DEFAULT
              to add addr to the DEFAULT list

       echo -addr >/proc/net/xt_recent/DEFAULT
              to remove addr from the DEFAULT list

       echo / >/proc/net/xt_recent/DEFAULT
              to flush the DEFAULT list (remove all entries).

Substitute the name of your list for "DEFAULT" there and you're set.

Ah, I see:

Code:

$ cat /proc/net/xt_recent/
DEFAULT   portscan

Then my blocked IP Addresses puts in "portscan"?

Turbocapitalist · 12-05-2016, 08:51 AM

Quote:

Originally Posted by hack3rcon

Then my blocked IP Addresses puts in "portscan"?

Yes. And you can add to, remove from, or clear the list "portscan" using "echo" as shown in the manual page. Though your iptables rules will do much of that automatically for you, if they are set up right.

hack3rcon · 12-05-2016, 09:20 AM

Quote:

Originally Posted by Turbocapitalist

Yes. And you can add to, remove from, or clear the list "portscan" using "echo" as shown in the manual page. Though your iptables rules will do much of that automatically for you, if they are set up right.

If I want do it manually via iptables then? Can I use :iptables -D INPUT IP" ?

Turbocapitalist · 12-05-2016, 09:25 AM

No. You can do it manually with "echo". So if you were to add 203.0.113.44 to your blacklist, you'd do the following as root:

Code:

echo +203.0.113.44 >/proc/net/xt_recent/portscan

Conversely, you'd remove that address from your blacklist using a minus:

Code:

echo -203.0.113.44 >/proc/net/xt_recent/portscan

If you want to clear the whole lists and start fresh, send a slash

Code:

echo / >/proc/net/xt_recent/portscan

The -D only applies to actual rules not lists.

hack3rcon · 12-10-2016, 07:41 AM

Quote:

Originally Posted by Turbocapitalist

No. You can do it manually with "echo". So if you were to add 203.0.113.44 to your blacklist, you'd do the following as root:

Code:

echo +203.0.113.44 >/proc/net/xt_recent/portscan

Conversely, you'd remove that address from your blacklist using a minus:

Code:

echo -203.0.113.44 >/proc/net/xt_recent/portscan

If you want to clear the whole lists and start fresh, send a slash

Code:

echo / >/proc/net/xt_recent/portscan

The -D only applies to actual rules not lists.

I scanned my system from other system via "Nmap" but:

Code:

~$ sudo cat /proc/net/xt_recent/portscan 
~$ sudo cat /proc/net/xt_recent/DEFAULT 
~$

As you see the files are empty.

Turbocapitalist · 12-10-2016, 08:33 AM

That means that your iptables rules are not catching the ip number of your other machine.
You can try adding that address manually.

Code:

echo +203.0.113.44 >/proc/net/xt_recent/portscan

Substitute 203.0.113.44 for the ip number of your other machine

hack3rcon · 12-10-2016, 09:57 AM

Quote:

Originally Posted by Turbocapitalist

That means that your iptables rules are not catching the ip number of your other machine.
You can try adding that address manually.

Code:

echo +203.0.113.44 >/proc/net/xt_recent/portscan

Substitute 203.0.113.44 for the ip number of your other machine

It is my question, Why my iptables can't catching the IP?