[Dshield] IPTables filter chains help - Just noticed that pe rhaps I'm not l ogging port 135
BKWalker at DRBSystems.com
Thu Aug 14 19:25:14 GMT 2003
A follow up to this, I've got PortSentry setup as well. I figured out how
to get it setup to dump everything that wasn't 'approved' (ie: traffic I
want) to the log.. But that seems to have bogged me down extremely bad.. Web
page generations taking upwards of 1 minute, as opposed to 2 seconds or
Now, if I dump essentially everything I don't want... I'm guessing that
portsentry becomes useless as it will not even see the traffic. But, if I
let portsentry decide what to 'dump' based on IP addresses that are
scanning, then I think I do not have the chance to log a bunch of possibly
useful things (like 135).
I thought I was setup to log everything, but I guess not.
Am I missing a better way to do this? I'm starting to think I should build
a 'proper' firewall/router box and keep it separate from my web server.....
> -----Original Message-----
> From: Brenden Walker
> Sent: Thursday, August 14, 2003 2:49 PM
> To: 'General DShield Discussion List'
> Subject: [Dshield] IPTables filter chains help - Just noticed
> that perhaps I'm not l ogging port 135
> Whoops.. Time to re-evaluate my IPTables filtering/NAT'ing..
> Any help would be greatly appreciates.
> After making sure modules are loaded, and setting flags in
> proc/sys/net, I do the following:
> echo " clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> $IPTABLES -N DUMP
> $IPTABLES -F DUMP
> $IPTABLES -A DUMP -p tcp -j LOG
> $IPTABLES -A DUMP -p udp -j LOG
> $IPTABLES -A DUMP -j DROP
> <selected opened ports, http, ssh, citrix (to specific servers) etc.>
> echo " FWD: Allow all connections OUT and only existing and
> related ones
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF
> -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG
> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> -- Now after looking that over, what I think I need to do is
> change the policy on INPUT to DUMP but I'm not 100% sure how
> that'll affect the clients behind me.. I suppose I could try,
> but I thought I'd ask folks here.
> As I wasn't specifically DUMP'ing 135, that would explain why
> I saw no hits on it.. I would prefer to dump everything (ie:
> log to kernel log to Dshield gets the information) rather
> than just the things I've specifically dumped.
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list