[Dshield] IPTables filter chains help - Just noticed that pe rhaps I'm not l ogging port 135

Brenden Walker BKWalker at DRBSystems.com
Thu Aug 14 19:25:14 GMT 2003


A follow up to this, I've got PortSentry setup as well.  I figured out how
to get it setup to dump everything that wasn't 'approved' (ie: traffic I
want) to the log.. But that seems to have bogged me down extremely bad.. Web
page generations taking upwards of 1 minute, as opposed to 2 seconds or
less.

Now, if I dump essentially everything I don't want... I'm guessing that
portsentry becomes useless as it will not even see the traffic.  But, if I
let portsentry decide what to 'dump' based on IP addresses that are
scanning, then I think I do not have the chance to log a bunch of possibly
useful things (like 135).

I thought I was setup to log everything, but I guess not.

Am I missing a better way to do this?  I'm starting to think I should build
a 'proper' firewall/router box and keep it separate from my web server.....

Thoughts?

> -----Original Message-----
> From: Brenden Walker 
> Sent: Thursday, August 14, 2003 2:49 PM
> To: 'General DShield Discussion List'
> Subject: [Dshield] IPTables filter chains help - Just noticed 
> that perhaps I'm not l ogging port 135
> 
> 
> Whoops.. Time to re-evaluate my IPTables filtering/NAT'ing..  
> Any help would be greatly appreciates.
> 
> After making sure modules are loaded, and setting flags in 
> proc/sys/net, I do the following:
> 
> 
> echo "   clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> 
> $IPTABLES -N DUMP
> $IPTABLES -F DUMP
> $IPTABLES -A DUMP -p tcp -j LOG
> $IPTABLES -A DUMP -p udp -j LOG
> $IPTABLES -A DUMP -j DROP
>  
> <selected opened ports, http, ssh, citrix (to specific servers) etc.>
> 
> echo "   FWD: Allow all connections OUT and only existing and 
> related ones
> IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF 
> -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> -- Now after looking that over, what I think I need to do is 
> change the policy on INPUT to DUMP but I'm not 100% sure how 
> that'll affect the clients behind me.. I suppose I could try, 
> but I thought I'd ask folks here.
> 
> As I wasn't specifically DUMP'ing 135, that would explain why 
> I saw no hits on it.. I would prefer to dump everything (ie: 
> log to kernel log to Dshield gets the information) rather 
> than just the things I've specifically dumped.
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list