Hi all,
I'm running CentOS 4.4 on an isolated test machine and am configuring the firewall on the host. I've got all my rules set up like so;
Code:
# Generated by iptables-save v1.2.11 on Tue Apr 24 17:13:10 2007
*filter
# Default policy actions
:INPUT DROP [11314:678776]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [395:84828]
# Input definitions
# setup loopback
-A INPUT -i lo -j ACCEPT
# rule for existing/accepted connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Anti spoofing rules, see RFC1918 in regards to addresses not deliverable over the internet
-A INPUT -s 192.168.0.3 -j LOG --log-level=warning --log-prefix "centos spoof attempt"
-A INPUT -s 192.168.0.3 -j DROP
-A INPUT -s 255.0.0.0/8 -j LOG --log-level=warning --log-prefix "spoofing attempt"
-A INPUT -s 255.0.0.0/8 -j DROP
-A INPUT -s 0.0.0.0/8 -j LOG --log-level=warning --log-prefix "spoofing attempt"
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -s 10.0.0.0/8 -j LOG --log-level=warning --log-prefix "spoofing attempt"
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 172.16.0.0/12 -j LOG --log-level=warning --log-prefix "spoofing attempt"
-A INPUT -s 172.16.0.0/12 -j DROP
# ruleset limiting ssh access to the local subnet
-A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3300 -m state --state NEW -j ACCEPT
# rulesets for http & https
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
# rulesets to protect against improper tcp connection initiation (no SYN)
-A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-level=warning --log-prefix "potential stealth scan:"
-A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
# ruleset to log everything not accepted in the rules above
-A INPUT -j LOG --log-level=warning --log-prefix "dropped by ruleset:"
# Commit the rulesets
COMMIT
# Completed on Tue Apr 24 17:13:10 2007
I have then altered /etc/syslog.conf to give;
Code:
kern.warning /var/log/iptables
The thing is, I get all the logging information dumped onto the console!!
I have no entires in /etc/syslog.conf specifying this, so I'm very confused?
Any ideas? I'm a bit stumped. Ultimately I aim to start using syslog-ng, but thats for another time.