LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-21-2010, 06:44 PM   #1
kfarstrider
LQ Newbie
 
Registered: Jun 2010
Posts: 3

Rep: Reputation: 0
iptables: logging all protocols (not just tcp, udp, icmp)


Brief overview of my current setup:

Code:
iptables -A INPUT -p ALL -j ip_blacklist
iptables -A INPUT -p tcp -j tcp_packets
iptables -A INPUT -p udp -j udp_packets
iptables -A INPUT -p icmp -j icmp_packets

iptables -A INPUT -j LOG --log-prefix 'Default INPUT policy: ' --log-level 5
The ip_blacklist chain is used to immediately drop any traffic from specified address ranges, while the tcp_, udp_, and icmp_packets chains contain rules for further processing of those protocols. The last rule in each of the latter three chains drops all packets that didn't match any rules above it; so tcp, udp, and icmp packets should NOT get caught by the default INPUT policy (DROP). The goal of the last rule on the INPUT chain is to then log any packets that are picked up by the default policy. However, it's not working.

I can tell that there are packets being picked off by the default policy because the counters are being incremented, but nothing is logged by that last rule. My conclusion is that it's only looking for tcp, udp, and icmp packets and ignoring everything else.

So, can anybody tell me how to get iptables to log all the other protocols (or whatever is being caught by the default policy)?
 
Old 06-22-2010, 06:01 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
With a default policy of DROP only explicitly allowed traffic is let through. Since you already made the distinction between the three protocols in the IP suite the "-p ALL" ('man iptables' listing it case-sensitive as "-p all" BTW) I wonder if the "-A INPUT -p ALL" makes sense at all and could be replaced with just "iptables -A INPUT -j ip_blacklist". How about running a PREROUTING chain in the raw table with policy ACCEPT and running 'egrep -v "^(#|ip|tcp|udp|icmp)[[:blank:]]" /etc/protocols|awk '{print $2}'|xargs -iX echo iptables -t raw -A PREROUTING -p 'X' -j LOG; echo iptables -t raw -A PREROUTING -j ip_blacklist' from there? This way the "raw" table (being the first table that gets hit anyway in modern iptables) can be used for logging and dropping, keeping things out of the way and keeping the filter table clean for the more complex things and keeping the filter table policy intact.
 
Old 06-28-2010, 02:26 PM   #3
kfarstrider
LQ Newbie
 
Registered: Jun 2010
Posts: 3

Original Poster
Rep: Reputation: 0
Moving the blacklist chain to the raw table is a good idea, but logging all protocols other than tcp, udp, and icmp in raw isn't the solution I'm looking for. I'm not really interested in knowing about all packets that come in using a protocol other than those three. I just want to know about packets that manage to fall through to the default INPUT/OUTPUT policies; and iptables doesn't seem to want to log them, even though I've placed the above-mentioned logging rule at the end of the chain.
 
Old 06-29-2010, 03:13 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Quote:
Originally Posted by kfarstrider View Post
logging all protocols other than tcp, udp, and icmp in raw isn't the solution I'm looking for. I'm not really interested in knowing about all packets that come in using a protocol other than those three. I just want to know about packets that manage to fall through to the default INPUT/OUTPUT policies; and iptables doesn't seem to want to log them, even though I've placed the above-mentioned logging rule at the end of the chain.
Simply put logging enables you to see for yourself what gets dropped, empirical evidence and all that. That way you ensure that what you filter is correct.
 
Old 06-29-2010, 03:37 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Also, did you compile your kernel and/or iptables yourself? Actually, I guess basically what I'm asking is whether or not you can confirm that the LOG target is in fact working for you at all (by means of some testing rules).

Last edited by win32sux; 06-29-2010 at 03:54 AM.
 
Old 06-29-2010, 11:53 AM   #6
kfarstrider
LQ Newbie
 
Registered: Jun 2010
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Simply put logging enables you to see for yourself what gets dropped, empirical evidence and all that. That way you ensure that what you filter is correct.
I'm well aware of this. The problem is that the logging rule at the end of my INPUT/OUTPUT chains is NOT logging packets that make it that far.

Quote:
Originally Posted by win32sux
Also, did you compile your kernel and/or iptables yourself? Actually, I guess basically what I'm asking is whether or not you can confirm that the LOG target is in fact working for you at all (by means of some testing rules).
I did not compile the kernel/iptables myself, but I have confirmed that the LOG target is available and working. If I place LOG rules in any of the custom chains (above), it works as expected.

Following unSpawn's recommendation, I moved the ip_blacklist chain to the raw table and changed the rule to read:

Code:
iptables -t raw -A PREROUTING -j ip_blacklist
However, the very last LOG rules in the INPUT/OUTPUT (filter) chains (also above) still aren't logging packets before they're dropped by the default policy.
 
  


Reply

Tags
iptables, logging, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Query: linux tcp/ip stack logging capability used by external devices like a iptables billysmithlq Linux - Networking 2 03-02-2009 03:38 PM
what is IGMP protocol about? I thought only ICMP, TCP, UDP servnov Linux - General 3 12-25-2004 08:00 PM
How to receive UDP and ICMP packets, by one UDP socket(PMTUD) myself_rajat Linux - Networking 0 05-28-2004 06:43 AM
ICMP/SSH filtered by admin, how to still use those protocols Belize Linux - Networking 2 12-03-2003 05:58 PM
Terms re icmp, udp, etc. satimis Linux - Networking 2 09-23-2003 12:22 AM


All times are GMT -5. The time now is 07:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration