[Dshield] IPTables filter chains help - Just noticed that perhaps I'm not l ogging port 135

Jeff Godin jeff at tcnet.org
Thu Aug 14 19:24:21 GMT 2003


On Thu, 14 Aug 2003, Brenden Walker wrote:

> Whoops.. Time to re-evaluate my IPTables filtering/NAT'ing..  Any help would
> be greatly appreciates.
[snip]
>
> -- Now after looking that over, what I think I need to do is change the
> policy on INPUT to DUMP but I'm not 100% sure how that'll affect the clients
> behind me.. I suppose I could try, but I thought I'd ask folks here.

You can't set a policy to anything other than ACCEPT or DROP.

A workaround would be to do:

#append catch-all rule with target of custom chain 'DUMP'
iptables -A INPUT -j DUMP
#set INPUT policy to DROP (should never hit, above rule should match all)
iptables -P INPUT DROP

>
> As I wasn't specifically DUMP'ing 135, that would explain why I saw no hits
> on it.. I would prefer to dump everything (ie: log to kernel log to Dshield
> gets the information) rather than just the things I've specifically dumped.

One logic is to set ACCEPT rules for that which you want to accept, REJECT
(with proper ICMP error or RST) that which you don't want to accept, and

1. ACCEPT that which you wish to accept
2. DROP broadcast/multicast traffic you wish not to accept and not log
3. DROP/REJECT(with proper ICMP error or RST) unicast traffic you wish not
to accept and not log
4. LOG and DROP ALL other broadcast/multicast traffic
5. LOG and DROP/REJECT(with proper ICMP error or RST) ALL other unicast
traffic

Policy for the above would be DENY, and should never hit due to rules in
categories 4 and 5.

-jeff

-- 
Jeff Godin
Network Specialist
Traverse Area District Library / Traverse Community Network
jeff at tcnet.org




More information about the list mailing list