LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-07-2017, 02:56 AM   #1
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Rep: Reputation: 10
Post My iptables rule not worked.


Hello.
I have written below iptables rule for logging failed attempts but not worked:
Code:
# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Is it for logging to my system or remote service like SSH?

Thank you.
 
Old 10-07-2017, 03:37 AM   #2
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 513

Rep: Reputation: 95
Hi,

iptables works with ordered rules, so without seeing the whole set of rules, we would not know why it behaves the way it is.

Post the results of

Code:
iptables -t filter -S INPUT
 
Old 10-07-2017, 04:43 AM   #3
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 4,137
Blog Entries: 1

Rep: Reputation: 873Reputation: 873Reputation: 873Reputation: 873Reputation: 873Reputation: 873Reputation: 873
https://tecadmin.net/enable-logging-...bles-on-linux/

Are you sure it's now working? It seems there's "places" for the logs to go to.

/var/log/kern.log
/var/log/messages

Or where ever /etc/syslog.conf says it should go (kern.warning). Perhaps dated info too, have you looked in $(journalctl -a) aka the systemd logs?
 
Old 10-07-2017, 08:50 AM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,594

Rep: Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164
Quote:
Is it for logging to my system or remote service like SSH?
No, it logs packets that were filtered by iptables. Failed login attempts are written to logs by ssh.
 
Old 10-07-2017, 09:31 AM   #5
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by tshikose View Post
hi,

iptables works with ordered rules, so without seeing the whole set of rules, we would not know why it behaves the way it is.

Post the results of

Code:
iptables -t filter -s input
Code:
-p input accept
 
Old 10-07-2017, 09:36 AM   #6
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by michaelk View Post
No, it logs packets that were filtered by iptables. Failed login attempts are written to logs by ssh.
Where this rule written logs?
 
Old 10-07-2017, 09:39 AM   #7
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,594

Rep: Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164
It is written to syslog.
 
Old 10-07-2017, 04:07 PM   #8
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 513

Rep: Reputation: 95
Hi hack3rcon,

Please reply to my post #2.

Or, more with

Code:
iptables -t filter -S
 
Old 10-08-2017, 06:39 AM   #9
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by tshikose View Post
Hi hack3rcon,

Please reply to my post #2.

Or, more with

Code:
iptables -t filter -S
I showed it:
Code:
-p input accept
 
Old 10-08-2017, 06:49 AM   #10
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by michaelk View Post
It is written to syslog.
Is you mean something like:
Code:
Oct  7 18:10:46 debian kernel: [  353.382767] iptables denied: IN=eth0 OUT= MAC=08:00:27:3c:0c:0f:00:11:3b:15:4a:32:08:00 SRC=IP DST=IP LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=15600 DF PROTO=TCP SPT=58012 DPT=22 WINDOW=319 RES=0x00 ACK URGP=0
 
Old 10-08-2017, 07:02 AM   #11
michaelk
Moderator
 
Registered: Aug 2002
Posts: 21,594

Rep: Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164Reputation: 4164
Yes.
 
Old 10-08-2017, 07:04 AM   #12
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 513

Rep: Reputation: 95
Hi,

Having
Code:
iptables -t filter -S INPUT
returning only
Code:
-P INPUT ACCEPT
is strange if you really added
Code:
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Please note that iptables works from top to bottom.
At first match it executes the target and exits (except for few "special" targets).
You were clearly trying to insert a rule at the 5th position, so I wondered what were before and after that 5th rule.
Then your stack seemed to only have the default policy to accept everything.
That is really confusing.

Are you sure that you posted the results from a consistent stage?
Maybe you mixed while trying different things.
 
Old 10-09-2017, 08:42 AM   #13
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by tshikose View Post
Hi,

Having
Code:
iptables -t filter -S INPUT
returning only
Code:
-P INPUT ACCEPT
is strange if you really added
Code:
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Please note that iptables works from top to bottom.
At first match it executes the target and exits (except for few "special" targets).
You were clearly trying to insert a rule at the 5th position, so I wondered what were before and after that 5th rule.
Then your stack seemed to only have the default policy to accept everything.
That is really confusing.

Are you sure that you posted the results from a consistent stage?
Maybe you mixed while trying different things.
Ah, You right. I added "-I INPUT 1". Excuse me, Is it mean line?

Last edited by hack3rcon; 10-09-2017 at 08:44 AM.
 
Old 10-09-2017, 08:44 AM   #14
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by michaelk View Post
Yes.
Can I find which character typed as password?
 
Old 10-09-2017, 09:00 AM   #15
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 4,137
Blog Entries: 1

Rep: Reputation: 873Reputation: 873Reputation: 873Reputation: 873Reputation: 873Reputation: 873Reputation: 873
tcpdump can capture the raw packets, so there's probably way. But only IF you were recording the traffic at the time. Or some iptables mechanism to record the packets that were rejected/logged. Then again encryption is a thing now, so you'd have to know the key(s) and the data to translate. Or have tools that knows those things for you. wireshark? idk, not my wheel house.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables rule help linuxcenter Linux - Security 3 06-26-2013 06:21 AM
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 03:33 PM
iptables rule kim_bcs Linux - Security 1 01-28-2011 09:34 AM
iptables rule bkcreddy17 Linux - Security 2 01-20-2009 06:38 AM
What is it doing this iptables rule?? lanczer Linux - Security 1 02-24-2006 11:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration