[SOLVED] My iptables rule not worked.

hack3rcon · 10-07-2017, 02:56 AM

Hello.
I have written below iptables rule for logging failed attempts but not worked:

Code:

# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Is it for logging to my system or remote service like SSH?

Thank you.

tshikose · 10-07-2017, 03:37 AM

Hi,

iptables works with ordered rules, so without seeing the whole set of rules, we would not know why it behaves the way it is.

Post the results of

Code:

iptables -t filter -S INPUT

Shadow_7 · 10-07-2017, 04:43 AM

https://tecadmin.net/enable-logging-...bles-on-linux/

Are you sure it's now working? It seems there's "places" for the logs to go to.

/var/log/kern.log
/var/log/messages

Or where ever /etc/syslog.conf says it should go (kern.warning). Perhaps dated info too, have you looked in $(journalctl -a) aka the systemd logs?

michaelk · 10-07-2017, 08:50 AM

Quote:

Is it for logging to my system or remote service like SSH?

No, it logs packets that were filtered by iptables. Failed login attempts are written to logs by ssh.

hack3rcon · 10-07-2017, 09:31 AM

Quote:

Originally Posted by tshikose

hi,

iptables works with ordered rules, so without seeing the whole set of rules, we would not know why it behaves the way it is.

Post the results of

Code:

iptables -t filter -s input

Code:

-p input accept

hack3rcon · 10-07-2017, 09:36 AM

Quote:

Originally Posted by michaelk

No, it logs packets that were filtered by iptables. Failed login attempts are written to logs by ssh.

Where this rule written logs?

michaelk · 10-07-2017, 09:39 AM

It is written to syslog.

tshikose · 10-07-2017, 04:07 PM

Hi hack3rcon,

Please reply to my post #2.

Or, more with

Code:

iptables -t filter -S

hack3rcon · 10-08-2017, 06:39 AM

Quote:

Originally Posted by tshikose

Hi hack3rcon,

Please reply to my post #2.

Or, more with

Code:

iptables -t filter -S

I showed it:

Code:

-p input accept

hack3rcon · 10-08-2017, 06:49 AM

Quote:

Originally Posted by michaelk

It is written to syslog.

Is you mean something like:

Code:

Oct  7 18:10:46 debian kernel: [  353.382767] iptables denied: IN=eth0 OUT= MAC=08:00:27:3c:0c:0f:00:11:3b:15:4a:32:08:00 SRC=IP DST=IP LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=15600 DF PROTO=TCP SPT=58012 DPT=22 WINDOW=319 RES=0x00 ACK URGP=0

michaelk · 10-08-2017, 07:02 AM

tshikose · 10-08-2017, 07:04 AM

Hi,

Having

Code:

iptables -t filter -S INPUT

returning only

Code:

-P INPUT ACCEPT

is strange if you really added

Code:

iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Please note that iptables works from top to bottom.
At first match it executes the target and exits (except for few "special" targets).
You were clearly trying to insert a rule at the 5th position, so I wondered what were before and after that 5th rule.
Then your stack seemed to only have the default policy to accept everything.
That is really confusing.

Are you sure that you posted the results from a consistent stage?
Maybe you mixed while trying different things.

hack3rcon · 10-09-2017, 08:42 AM

Quote:

Originally Posted by tshikose

Hi,

Having

Code:

iptables -t filter -S INPUT

returning only

Code:

-P INPUT ACCEPT

is strange if you really added

Code:

iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Please note that iptables works from top to bottom.
At first match it executes the target and exits (except for few "special" targets).
You were clearly trying to insert a rule at the 5th position, so I wondered what were before and after that 5th rule.
Then your stack seemed to only have the default policy to accept everything.
That is really confusing.

Are you sure that you posted the results from a consistent stage?
Maybe you mixed while trying different things.

Ah, You right. I added "-I INPUT 1". Excuse me, Is it mean line?

hack3rcon · 10-09-2017, 08:44 AM

Quote:

Originally Posted by michaelk

Yes.

Can I find which character typed as password?

Shadow_7 · 10-09-2017, 09:00 AM

tcpdump can capture the raw packets, so there's probably way. But only IF you were recording the traffic at the time. Or some iptables mechanism to record the packets that were rejected/logged. Then again encryption is a thing now, so you'd have to know the key(s) and the data to translate. Or have tools that knows those things for you. wireshark? idk, not my wheel house.