[Dshield] Enabling iptables logs

Johannes B. Ullrich jullrich at sans.org
Sun Dec 7 17:00:30 GMT 2003


oops. was my mistake. the order is wrong. Try the '-j LOG' ahead of
'--log-ip-options'

BTW: There is one more option: --log-tcp-sequence . This will log the
tcp-sequence numbers. As the man page states, there is a security issue
with loggin tcp-sequence numbers. Whoever has access to the log, could
use it to aid in tcp connection hijacking. But I think that issue is
rather remote (in particular if you only log dropped/rejected packets).
Depends on how good your sequence numbers are to begin with.



On Sun, 2003-12-07 at 01:44, Stephen Boulet wrote:
> iptables -A INPUT --log-tcp-options --log-ip-options --log-level warning 
> --log-prefix " INPUT_CHAIN_DEFAULT " -j LOG
> 
> Stephen 
> 
> On Saturday 06 December 2003 01:28 pm, Johannes B. Ullrich wrote:
> > whats the complete iptables command line?
> >
> > On Sat, 2003-12-06 at 13:24, Stephen Boulet wrote:
> > > Thanks for the detailed response. I get this message when trying to start
> > > logging as you suggest:
> > >
> > > iptables v1.2.9: Unknown arg `--log-tcp-options'
> > > Try `iptables -h' or 'iptables --help' for more information.
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031207/3f6501c4/attachment.bin


More information about the list mailing list