You are not logged in.

Pages: 1

#1 2008-07-17 01:33:46

edmcyco
Member
Registered: 2008-07-17
Posts: 3

newbie needs some help

Hello everyone

I just installed archlinux, and am loving it. but i need some help sad

I followed the guide in the wiki on how to create a NAT with iptables and everything is working awsome. My question is, how would i enable logging for iptables so i can view any attempts/threats?
At the moment, iptables is not logging anything (as far as i know) and im stumped on how to enable logging for it, can someone please help me in enabling logging?
Also, should i enable any other kind of logging, and what would be the best/simplest way to view the logs (vi <logname>.log?) or is there a program that gathers all the logs and displays it in a neat package?


Thanks a lot for the help.

Offline

#2 2008-07-17 01:38:46

Sp4rkR4t
Member
From: Southampton
Registered: 2008-05-06
Posts: 110

Re: newbie needs some help

The third post in this thread enables logging through syslog-ng;

http://bbs.archlinux.org/viewtopic.php?id=28900

Offline

#3 2008-07-17 04:15:28

edmcyco
Member
Registered: 2008-07-17
Posts: 3

Re: newbie needs some help

I have done what that post said, but still i don't see a log file for the firewall in /var/log/

Here is part of my syslog-ng.conf file

destination iptables { file("/var/log/iptables.log"); };
filter f_kernel { facility(kern) and not match("IPT"); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not match("IPT"); };
filter f_err { level(err) and not match("IPT"); };
filter f_iptables { match("IPT"); };
log { source(src); filter(f_iptables); destination(iptables); };

Am i doing something wrong, am i missing something?

Thanks a lot for the help.

**EDIT**

I thought it might be usefull to also post the complete syslog-ng.conf and my iptables.rules file.

syslog-ng.conf complete file

#
# /etc/syslog-ng.conf
#

options {
  sync (0);
  time_reopen (10);
  log_fifo_size (1000);
  long_hostnames(off); 
  use_dns (no);
  use_fqdn (no);
  create_dirs (no);
  keep_hostname (yes);
  perm(0640);
  group("log");
};

source src {
  unix-stream("/dev/log");
  internal();
  file("/proc/kmsg");
};

destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog.log"); };
destination cron { file("/var/log/crond.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kernel { file("/var/log/kernel.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
destination mail { file("/var/log/mail.log"); };
destination news { file("/var/log/news.log"); };
destination ppp { file("/var/log/ppp.log"); };
destination debug { file("/var/log/debug.log"); };
destination messages { file("/var/log/messages.log"); };
destination errors { file("/var/log/errors.log"); };
destination everything { file("/var/log/everything.log"); };
destination iptables { file("/var/log/iptables.log"); };
destination acpid { file("/var/log/acpid.log"); };
destination console { usertty("root"); };

# Log everything to vc12
destination console_all { file("/dev/vc/12"); };

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { program(syslog-ng); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kernel { facility(kern) and not match("IPT"); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_news { facility(news); };
filter f_ppp { facility(local2); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not match("IPT"); };
filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err) and not match("IPT"); };
filter f_iptables { match("IPT"); };
filter f_acpid { match("acpid"); };

log { source(src); filter(f_acpid); destination(acpid); flags(final); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kernel); destination(kernel); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_news); destination(news); };
log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
#log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_err); destination(errors); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_everything); destination(everything); };
log { source(src); filter(f_iptables); destination(iptables); };

# Log everything to vc12
#log { source(src); destination(console_all); };

iptables.rules file

# Generated by iptables-save v1.4.0 on Wed Jul 16 15:56:18 2008
*nat
:PREROUTING ACCEPT [31:9825]
:POSTROUTING ACCEPT [6:300]
:OUTPUT ACCEPT [3:180]
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Wed Jul 16 15:56:18 2008
# Generated by iptables-save v1.4.0 on Wed Jul 16 15:56:18 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [266:21959]
:fw-interfaces - [0:0]
:fw-open - [0:0]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j interfaces 
-A INPUT -j open 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j fw-interfaces 
-A FORWARD -j fw-open 
-A FORWARD -j REJECT --reject-with icmp-host-unreachable 
-A fw-interfaces -i eth1 -j ACCEPT 
COMMIT
# Completed on Wed Jul 16 15:56:18 2008

Last edited by edmcyco (2008-07-17 04:19:49)

Offline

#4 2008-07-17 17:16:43

edmcyco
Member
Registered: 2008-07-17
Posts: 3

Re: newbie needs some help

bump

Offline

Pages: 1

Board footer

Powered by FluxBB