[Sderby] IP tables
Harry Sheppard
harry at disgruntledgoat.com
Sun Mar 21 23:58:55 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Mike,
> Does anyone know how to log and report with IP tables. I'd like to know
> what's hitting my firewall and preferably have nice web reports or
> something.
Umm - well, I can help with the logging, but not the reporting...
On my firewall, I tend to be rather paranoid and so I drop all ICMP traffic
with the exveption of inbound echo-replies, time-exceeded and
destination-unreachable messages. To make things a bit easier to read, my
firewall script creates a new chain (in this example "icmp_allowed"), flushes
it and then applies the rules. This chain is then appended to the main
INPUT, OUTPUT or FORWARD chains as appropriate. Here's my "icmp_allowed"
chain::
einfo "Creating icmp chain (drop all but timeout/unreachable/echo-reply)"
# Gentoo's info command - displays what it's up to
$IPTABLES -N icmp_allowed
# Create a new chain called "icmp_allowed"
$IPTABLES -F icmp_allowed
# Flush the chain :-)
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
time-exceeded -j ACCEPT
# Allow time-exceeded ICMP
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
destination-unreachable -j ACCEPT
# Allow destination-unreachable ICMP
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
echo-reply -j ACCEPT
# Allow echo-reply ICMP
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "DROP: Bad ICMP \
traffic:"
# If none of the above have matched, log the packet
$IPTABLES -A icmp_allowed -p icmp -j DROP
# Then actually drop the packet from the stack.
Hope that helps,
- --Harry Sheppard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAXiu6VvBm1LTF0fcRAhuYAJ9faeloRDJrvQn8ybaLfNf6yCpYAwCfefC5
oJSBi8UAZrBq7Yc/G5F+UIk=
=CoE/
-----END PGP SIGNATURE-----
More information about the Sderby
mailing list