[Sderby] IP tables

[Harry Sheppard]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mike,

> Does anyone know how to log and report with IP tables.  I'd like to know
> what's hitting my firewall and preferably have nice web reports or
> something.
Umm - well, I can help with the logging, but not the reporting...

On my firewall, I tend to be rather paranoid and so I drop all ICMP traffic 
with the exveption of inbound echo-replies, time-exceeded and 
destination-unreachable messages. To make things a bit easier to read, my 
firewall script creates a new chain (in this example "icmp_allowed"), flushes 
it and then applies the rules. This chain is then appended to the main 
INPUT, OUTPUT or FORWARD chains as appropriate. Here's my "icmp_allowed" 
chain::

einfo "Creating icmp chain (drop all but timeout/unreachable/echo-reply)"
# Gentoo's info command - displays what it's up to

$IPTABLES -N icmp_allowed
# Create a new chain called "icmp_allowed"

$IPTABLES -F icmp_allowed
# Flush the chain :-)

$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \ 
time-exceeded -j ACCEPT
# Allow time-exceeded ICMP

$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \ 
destination-unreachable -j ACCEPT
# Allow destination-unreachable ICMP

$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \ 
echo-reply -j ACCEPT
# Allow echo-reply ICMP

$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "DROP: Bad ICMP \ 
traffic:"
# If none of the above have matched, log the packet

$IPTABLES -A icmp_allowed -p icmp -j DROP
# Then actually drop the packet from the stack.


Hope that helps,
- --Harry Sheppard

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAXiu6VvBm1LTF0fcRAhuYAJ9faeloRDJrvQn8ybaLfNf6yCpYAwCfefC5
oJSBi8UAZrBq7Yc/G5F+UIk=
=CoE/
-----END PGP SIGNATURE-----