[Dshield] 'iptables' config for WRT54G running Sveasoft Alchemy-pre5.4a
Johannes B. Ullrich
jullrich at euclidian.com
Fri May 6 13:21:51 GMT 2005
> What I don't see are the 'iptables' commands for configuring
> connection and probe logging in the kernel. Seems like a rather
> major omission.
Its by design ;-). Firewall rules have to be adjusted to your
environment. I can't tell you what to accept/block or log.
for iptables, there is a special 'target' to log packets:
(assuming that you add this to your 'INPUT' chain):
iptables -A INPUT -j LOG --log-level warning --log-prefix 'FIREWALL'
There are a few more options that allow you to log additional details:
Now if your default policy is to DROP/REJECT, and you want to log all
blocked packets, just add a logging rule to the end of your chains.
But remember that the 'LOG' target will not reject packets. It just
passes the packets to the next rule after it logs the data. So you could
log packets that are later blocked.
I typically setup a 'LOGDROP' chain, which logs and drops. Then, I
replace all my '-j DROP' rules with '-j LOGDROP'.
My LOGDROP chain:
LOG='-j LOG --log-level warning --log-prefix'
$IPTABLES -A LOGDROP $LOG "filter: LOGDROP "
$IPTABLES -A LOGDROP -j DROP
You can make the chain a bit more sophisticated, by automatically adding
all the source IPs to a blacklist using the optional 'recent' module.
$IPTABLES -A LOGDROP -m recent --update --seconds 3600 $LOG "filter:
$IPTABLES -A LOGDROP -m recent --rcheck --second 3600 -j DROP
$IPTABLES -A LOGDROP -i $OUTSIDE -m recent --set -j DROP
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050506/a648231a/signature.bin
More information about the list