[Dshield] 'iptables' config for WRT54G running Sveasoft Alchemy-pre5.4a

Johannes B. Ullrich jullrich at euclidian.com
Fri May 6 13:21:51 GMT 2005

> What I don't see are the 'iptables' commands for configuring 
> connection and probe logging in the kernel.  Seems like a rather 
> major omission.  

Its by design ;-). Firewall rules have to be adjusted to your 
environment. I can't tell you what to accept/block or log.

for iptables, there is a special 'target' to log packets:

(assuming that you add this to your 'INPUT' chain):

iptables -A INPUT -j LOG --log-level warning --log-prefix 'FIREWALL'

There are a few more options that allow you to log additional details:

--log-tcp-options --log-ip-options

Now if your default policy is to DROP/REJECT, and you want to log all 
blocked packets, just add a logging rule to the end of your chains.

But remember that the 'LOG' target will not reject packets. It just 
passes the packets to the next rule after it logs the data. So you could 
log packets that are later blocked.

I typically setup a 'LOGDROP' chain, which logs and drops. Then, I 
replace all my '-j DROP' rules with '-j LOGDROP'.

My LOGDROP chain:

LOGOPT="--log-tcp-options --log-ip-options"
LOG='-j LOG --log-level warning --log-prefix'


You can make the chain a bit more sophisticated, by automatically adding 
all the source IPs to a blacklist using the optional 'recent' module.

$IPTABLES -A LOGDROP -m recent --update --seconds 3600 $LOG "filter: 
$IPTABLES -A LOGDROP -m recent --rcheck --second 3600 -j DROP
$IPTABLES -A LOGDROP -i $OUTSIDE -m recent --set -j DROP
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050506/a648231a/signature.bin

More information about the list mailing list