You are not logged in.
On a Arch Linux based router (old P4) I would like to run iptables as a firewall.
Currently I only use iptables with the masquerade option, all the ports are open.
To set up this firewall, I want to use a default drop policy, like here. But I need to find out which ports are currently used so I can keep them open. I tried wireshark, but that is ok for a few minutes. Is there a good way to log all traffic for a day so I can analyze them for the used ports?
Another side question, I see in wireshark for example a request for imap or http and the server answers from a random port. How does this work if I use the drop policy, do my package still arrive?
Offline
iptables has its own logging facility:
-A OUTPUT -j LOG
Chain OUTPUT (policy DROP)
...
LOG all -- anywhere anywhere LOG level warning
This is passed to dmesg and syslogd, /var/log/iptables.log
Otherwise netstat -c could tell you what ports remain open, something like:
netstat -tunc | awk '/^t|u/{print $5}' | cut -d : -f 2 | sort -u >> /tmp/ports
sort -u /tmp/ports > /tmp/ports.$$ && mv /tmp/ports.$$ /tmp/ports
You can use drop on the INPUT chain without any problems, you just need to have the following setup:
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -i lo -m comment --comment "Loopback" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
...
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- anywhere anywhere /* Loopback */
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
...
Alternatively you can specify source ports instead.
The OUTPUT chain is a different story.
Last edited by fumbles (2010-01-30 12:03:35)
Offline
Thanks, I was digging though tcpdump stuff, didn't know about the logging in iptables.
I'll put the iptables config up when ready.
Offline