LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables: logging all protocols (not just tcp, udp, icmp) (http://www.linuxquestions.org/questions/linux-security-4/iptables-logging-all-protocols-not-just-tcp-udp-icmp-815526/)

kfarstrider 06-21-2010 06:44 PM

iptables: logging all protocols (not just tcp, udp, icmp)
 
Brief overview of my current setup:

Code:

iptables -A INPUT -p ALL -j ip_blacklist
iptables -A INPUT -p tcp -j tcp_packets
iptables -A INPUT -p udp -j udp_packets
iptables -A INPUT -p icmp -j icmp_packets

iptables -A INPUT -j LOG --log-prefix 'Default INPUT policy: ' --log-level 5

The ip_blacklist chain is used to immediately drop any traffic from specified address ranges, while the tcp_, udp_, and icmp_packets chains contain rules for further processing of those protocols. The last rule in each of the latter three chains drops all packets that didn't match any rules above it; so tcp, udp, and icmp packets should NOT get caught by the default INPUT policy (DROP). The goal of the last rule on the INPUT chain is to then log any packets that are picked up by the default policy. However, it's not working.

I can tell that there are packets being picked off by the default policy because the counters are being incremented, but nothing is logged by that last rule. My conclusion is that it's only looking for tcp, udp, and icmp packets and ignoring everything else.

So, can anybody tell me how to get iptables to log all the other protocols (or whatever is being caught by the default policy)?

unSpawn 06-22-2010 06:01 AM

With a default policy of DROP only explicitly allowed traffic is let through. Since you already made the distinction between the three protocols in the IP suite the "-p ALL" ('man iptables' listing it case-sensitive as "-p all" BTW) I wonder if the "-A INPUT -p ALL" makes sense at all and could be replaced with just "iptables -A INPUT -j ip_blacklist". How about running a PREROUTING chain in the raw table with policy ACCEPT and running 'egrep -v "^(#|ip|tcp|udp|icmp)[[:blank:]]" /etc/protocols|awk '{print $2}'|xargs -iX echo iptables -t raw -A PREROUTING -p 'X' -j LOG; echo iptables -t raw -A PREROUTING -j ip_blacklist' from there? This way the "raw" table (being the first table that gets hit anyway in modern iptables) can be used for logging and dropping, keeping things out of the way and keeping the filter table clean for the more complex things and keeping the filter table policy intact.

kfarstrider 06-28-2010 02:26 PM

Moving the blacklist chain to the raw table is a good idea, but logging all protocols other than tcp, udp, and icmp in raw isn't the solution I'm looking for. I'm not really interested in knowing about all packets that come in using a protocol other than those three. I just want to know about packets that manage to fall through to the default INPUT/OUTPUT policies; and iptables doesn't seem to want to log them, even though I've placed the above-mentioned logging rule at the end of the chain.

unSpawn 06-29-2010 03:13 AM

Quote:

Originally Posted by kfarstrider (Post 4017419)
logging all protocols other than tcp, udp, and icmp in raw isn't the solution I'm looking for. I'm not really interested in knowing about all packets that come in using a protocol other than those three. I just want to know about packets that manage to fall through to the default INPUT/OUTPUT policies; and iptables doesn't seem to want to log them, even though I've placed the above-mentioned logging rule at the end of the chain.

Simply put logging enables you to see for yourself what gets dropped, empirical evidence and all that. That way you ensure that what you filter is correct.

win32sux 06-29-2010 03:37 AM

Also, did you compile your kernel and/or iptables yourself? Actually, I guess basically what I'm asking is whether or not you can confirm that the LOG target is in fact working for you at all (by means of some testing rules).

kfarstrider 06-29-2010 11:53 AM

Quote:

Originally Posted by unSpawn (Post 4017929)
Simply put logging enables you to see for yourself what gets dropped, empirical evidence and all that. That way you ensure that what you filter is correct.

I'm well aware of this. The problem is that the logging rule at the end of my INPUT/OUTPUT chains is NOT logging packets that make it that far.

Quote:

Originally Posted by win32sux
Also, did you compile your kernel and/or iptables yourself? Actually, I guess basically what I'm asking is whether or not you can confirm that the LOG target is in fact working for you at all (by means of some testing rules).

I did not compile the kernel/iptables myself, but I have confirmed that the LOG target is available and working. If I place LOG rules in any of the custom chains (above), it works as expected.

Following unSpawn's recommendation, I moved the ip_blacklist chain to the raw table and changed the rule to read:

Code:

iptables -t raw -A PREROUTING -j ip_blacklist
However, the very last LOG rules in the INPUT/OUTPUT (filter) chains (also above) still aren't logging packets before they're dropped by the default policy.


All times are GMT -5. The time now is 01:37 PM.