iptables: logging all protocols (not just tcp, udp, icmp)
 

Brief overview of my current setup:

The ip_blacklist chain is used to immediately drop any traffic from specified address ranges, while the tcp_, udp_, and icmp_packets chains contain rules for further processing of those protocols. The last rule in each of the latter three chains drops all packets that didn't match any rules above it; so tcp, udp, and icmp packets should NOT get caught by the default INPUT policy (DROP). The goal of the last rule on the INPUT chain is to then log any packets that are picked up by the default policy. However, it's not working.

I can tell that there are packets being picked off by the default policy because the counters are being incremented, but nothing is logged by that last rule. My conclusion is that it's only looking for tcp, udp, and icmp packets and ignoring everything else.

So, can anybody tell me how to get iptables to log all the other protocols (or whatever is being caught by the default policy)?

With a default policy of DROP only explicitly allowed traffic is let through. Since you already made the distinction between the three protocols in the IP suite the "-p ALL" ('man iptables' listing it case-sensitive as "-p all" BTW) I wonder if the "-A INPUT -p ALL" makes sense at all and could be replaced with just "iptables -A INPUT -j ip_blacklist". How about running a PREROUTING chain in the raw table with policy ACCEPT and running 'egrep -v "^(#|ip|tcp|udp|icmp)[[:blank:]]" /etc/protocols|awk '{print $2}'|xargs -iX echo iptables -t raw -A PREROUTING -p 'X' -j LOG; echo iptables -t raw -A PREROUTING -j ip_blacklist' from there? This way the "raw" table (being the first table that gets hit anyway in modern iptables) can be used for logging and dropping, keeping things out of the way and keeping the filter table clean for the more complex things and keeping the filter table policy intact.

Moving the blacklist chain to the raw table is a good idea, but logging all protocols other than tcp, udp, and icmp in raw isn't the solution I'm looking for. I'm not really interested in knowing about all packets that come in using a protocol other than those three. I just want to know about packets that manage to fall through to the default INPUT/OUTPUT policies; and iptables doesn't seem to want to log them, even though I've placed the above-mentioned logging rule at the end of the chain.

Simply put logging enables you to see for yourself what gets dropped, empirical evidence and all that. That way you ensure that what you filter is correct.

Also, did you compile your kernel and/or iptables yourself? Actually, I guess basically what I'm asking is whether or not you can confirm that the LOG target is in fact working for you at all (by means of some testing rules).

I'm well aware of this. The problem is that the logging rule at the end of my INPUT/OUTPUT chains is NOT logging packets that make it that far.

I did not compile the kernel/iptables myself, but I have confirmed that the LOG target is available and working. If I place LOG rules in any of the custom chains (above), it works as expected.

Following unSpawn's recommendation, I moved the ip_blacklist chain to the raw table and changed the rule to read:

However, the very last LOG rules in the INPUT/OUTPUT (filter) chains (also above) still aren't logging packets before they're dropped by the default policy.