iptables: logging all protocols (not just tcp, udp, icmp)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables: logging all protocols (not just tcp, udp, icmp)
Brief overview of my current setup:
Code:
iptables -A INPUT -p ALL -j ip_blacklist
iptables -A INPUT -p tcp -j tcp_packets
iptables -A INPUT -p udp -j udp_packets
iptables -A INPUT -p icmp -j icmp_packets
iptables -A INPUT -j LOG --log-prefix 'Default INPUT policy: ' --log-level 5
The ip_blacklist chain is used to immediately drop any traffic from specified address ranges, while the tcp_, udp_, and icmp_packets chains contain rules for further processing of those protocols. The last rule in each of the latter three chains drops all packets that didn't match any rules above it; so tcp, udp, and icmp packets should NOT get caught by the default INPUT policy (DROP). The goal of the last rule on the INPUT chain is to then log any packets that are picked up by the default policy. However, it's not working.
I can tell that there are packets being picked off by the default policy because the counters are being incremented, but nothing is logged by that last rule. My conclusion is that it's only looking for tcp, udp, and icmp packets and ignoring everything else.
So, can anybody tell me how to get iptables to log all the other protocols (or whatever is being caught by the default policy)?
With a default policy of DROP only explicitly allowed traffic is let through. Since you already made the distinction between the three protocols in the IP suite the "-p ALL" ('man iptables' listing it case-sensitive as "-p all" BTW) I wonder if the "-A INPUT -p ALL" makes sense at all and could be replaced with just "iptables -A INPUT -j ip_blacklist". How about running a PREROUTING chain in the raw table with policy ACCEPT and running 'egrep -v "^(#|ip|tcp|udp|icmp)[[:blank:]]" /etc/protocols|awk '{print $2}'|xargs -iX echo iptables -t raw -A PREROUTING -p 'X' -j LOG; echo iptables -t raw -A PREROUTING -j ip_blacklist' from there? This way the "raw" table (being the first table that gets hit anyway in modern iptables) can be used for logging and dropping, keeping things out of the way and keeping the filter table clean for the more complex things and keeping the filter table policy intact.
Moving the blacklist chain to the raw table is a good idea, but logging all protocols other than tcp, udp, and icmp in raw isn't the solution I'm looking for. I'm not really interested in knowing about all packets that come in using a protocol other than those three. I just want to know about packets that manage to fall through to the default INPUT/OUTPUT policies; and iptables doesn't seem to want to log them, even though I've placed the above-mentioned logging rule at the end of the chain.
logging all protocols other than tcp, udp, and icmp in raw isn't the solution I'm looking for. I'm not really interested in knowing about all packets that come in using a protocol other than those three. I just want to know about packets that manage to fall through to the default INPUT/OUTPUT policies; and iptables doesn't seem to want to log them, even though I've placed the above-mentioned logging rule at the end of the chain.
Simply put logging enables you to see for yourself what gets dropped, empirical evidence and all that. That way you ensure that what you filter is correct.
Also, did you compile your kernel and/or iptables yourself? Actually, I guess basically what I'm asking is whether or not you can confirm that the LOG target is in fact working for you at all (by means of some testing rules).
Simply put logging enables you to see for yourself what gets dropped, empirical evidence and all that. That way you ensure that what you filter is correct.
I'm well aware of this. The problem is that the logging rule at the end of my INPUT/OUTPUT chains is NOT logging packets that make it that far.
Quote:
Originally Posted by win32sux
Also, did you compile your kernel and/or iptables yourself? Actually, I guess basically what I'm asking is whether or not you can confirm that the LOG target is in fact working for you at all (by means of some testing rules).
I did not compile the kernel/iptables myself, but I have confirmed that the LOG target is available and working. If I place LOG rules in any of the custom chains (above), it works as expected.
Following unSpawn's recommendation, I moved the ip_blacklist chain to the raw table and changed the rule to read:
Code:
iptables -t raw -A PREROUTING -j ip_blacklist
However, the very last LOG rules in the INPUT/OUTPUT (filter) chains (also above) still aren't logging packets before they're dropped by the default policy.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.