LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-05-2007, 05:15 AM   #1
Firebar
Member
 
Registered: Feb 2005
Location: Southampton (UK)
Distribution: Debian, RHEL and SuSE
Posts: 69

Rep: Reputation: 15
Firewall Logging problems


Hi all,

I'm running CentOS 4.4 on an isolated test machine and am configuring the firewall on the host. I've got all my rules set up like so;

Code:
# Generated by iptables-save v1.2.11 on Tue Apr 24 17:13:10 2007
*filter

# Default policy actions

:INPUT DROP [11314:678776]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [395:84828]

# Input definitions

# setup loopback
-A INPUT -i lo -j ACCEPT

# rule for existing/accepted connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Anti spoofing rules, see RFC1918 in regards to addresses not deliverable over the internet
-A INPUT -s 192.168.0.3 -j LOG --log-level=warning --log-prefix "centos spoof attempt"
-A INPUT -s 192.168.0.3 -j DROP
-A INPUT -s 255.0.0.0/8 -j LOG --log-level=warning --log-prefix "spoofing attempt"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT -s 0.0.0.0/8 -j LOG --log-level=warning --log-prefix "spoofing attempt"
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -s 10.0.0.0/8 -j LOG --log-level=warning --log-prefix "spoofing attempt"
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 172.16.0.0/12 -j LOG --log-level=warning --log-prefix "spoofing attempt"
-A INPUT -s 172.16.0.0/12 -j DROP

# ruleset limiting ssh access to the local subnet 
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3300 -m state --state NEW -j ACCEPT 

# rulesets for http & https
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT 

# rulesets to protect against improper tcp connection initiation (no SYN)
-A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-level=warning --log-prefix "potential stealth scan:"
-A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

# ruleset to log everything not accepted in the rules above
-A INPUT -j LOG --log-level=warning --log-prefix "dropped by ruleset:"

# Commit the rulesets 
COMMIT
# Completed on Tue Apr 24 17:13:10 2007
I have then altered /etc/syslog.conf to give;

Code:
kern.warning                   /var/log/iptables
The thing is, I get all the logging information dumped onto the console!!
I have no entires in /etc/syslog.conf specifying this, so I'm very confused?

Any ideas? I'm a bit stumped. Ultimately I aim to start using syslog-ng, but thats for another time.
 
Old 05-06-2007, 04:05 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Not really a Linux Security question but OK: "man dmesg", look for the "level" setting explanation. IIRC a value of 4 shoudl do, else play with it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall logging jakev383 Linux - Networking 2 12-08-2005 08:17 AM
How to stop firewall logging to terminal screen ozymandias Linux - Security 10 10-01-2005 04:32 AM
Logging firewall with syslog-ng? RecoilUK Linux - Security 1 08-06-2005 04:28 PM
How to reduce amount of (firewall) logging mac_phil Linux - Security 3 05-12-2004 03:11 PM
Logging into a firewall - IPSEC user benjithegreat98 Linux - Software 1 01-29-2004 11:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration