You are not logged in.

Pages: 1

#1 2013-11-22 01:27:27

gsingh93
Member
Registered: 2013-07-19
Posts: 96

Basic iptables firewall with logging

This is my first time working with iptables and I'm trying to set up a firewall using this guide and I'm trying to get logging working with this guide.

Here's how my iptables.rules ended up looking:

# Generated by iptables-save v1.4.20 on Thu Nov 21 19:37:56 2013
*raw
:PREROUTING ACCEPT [199914:201667745]
:OUTPUT ACCEPT [118067:8949049]
COMMIT
# Completed on Thu Nov 21 19:37:56 2013
# Generated by iptables-save v1.4.20 on Thu Nov 21 19:37:56 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4:208]
:TCP - [0:0]
:UDP - [0:0]
:logdrop - [0:0]
-A logdrop -m limit --limit 5/m --limit-burst 10 -j LOG --log-prefix "IPTables dropped: "
-A logdrop -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j logdrop
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Nov 21 19:37:56 2013

Does this look right? It looks like it's blocking all incoming traffic correctly, but I'm not sure if it's logging properly. I started up apache and tried to connect from a different computer. The connection didn't work as expected, but I didn't see anything in journalctl.

Offline

#2 2013-11-22 02:11:17

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,231
Website

Re: Basic iptables firewall with logging

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

You need to call the logdrop chain instead of REJECT. Replace the above rules with this:

-A INPUT -j logdrop

If you want it to log and reject instead of drop, you could do this:

# Generated by iptables-save v1.4.20 on Thu Nov 21 19:37:56 2013
*raw
:PREROUTING ACCEPT [199914:201667745]
:OUTPUT ACCEPT [118067:8949049]
COMMIT
# Completed on Thu Nov 21 19:37:56 2013
# Generated by iptables-save v1.4.20 on Thu Nov 21 19:37:56 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4:208]
:TCP - [0:0]
:UDP - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
-A logdrop -m limit --limit 5/m --limit-burst 10 -j LOG --log-prefix "IPTables dropped: "
-A logdrop -j DROP
-A logreject -m limit --limit 5/m --limit-burst 10 -j LOG --log-prefix "IPTables rejected: "
-A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
-A logreject -p tcp -j REJECT --reject-with tcp-reset
-A logreject -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j logdrop
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j logreject
COMMIT

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

Pages: 1

Board footer

Powered by FluxBB