loggning i iptables

Diskussion kring säkerhet och nätverk.
Post Reply
blackrax
Posts: 11
Joined: 6 March 2004, 22:11

loggning i iptables

Post by blackrax » 6 March 2004, 22:18

gott folk,


har nyligen konfigurerat min första iptables-baserade brandvägg; har dock lite problem med att få den att logga som jag vill (utan att /var/logs/messages äter upp hela min HD) - jag har, som ni kan se, satt log limit burst till 1; men egentligen vill jag att detta ska gälla på packet & ip src nivå; alltså högst en logg i minuten per identisk source och ip; för närvarande är det ett omöjligt att, t.ex., upptäcka en portscan (annat än första porten per min)... lite tips tack.

... och eftersom detta är min första brandvägg, är jag säker på att den kanske inte är helt vettig - skulle således uppskatta lite pointers.

mvh,
//blackrax

ps. postade detta inlägg på ett annat forum också (fick hursom inget svar) - den begick dumeten att konvertera att :D till smilies - mao, alla konstiga DROP:s finns där egentligen, om det inte varit för att smiliesen tog bort dem.

Code: Select all

INET_IFACE="eth1"

LAN_IFACE="eth0"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"

LO_IFACE="lo"
LO_IP="127.0.0.1"


# flush any old rules
/etc/init.d/iptables start
/etc/init.d/iptables stop

# enable port forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# drop all incoming packets
#iptables -P INPUT DROP

# drop all forwarded packets
#iptables -P FORWARD DROP

# drop all locally created packets
#iptables -P OUTPUT DROP

# creating new chains
iptables -N bad_tcp_packets
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N log_stealth
## iptables -N icmp_packets

# --- setting rules for allowed
# accept new connections
iptables -A allowed -p TCP --syn -j ACCEPT
# accept existing connections 
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop all other - log them all
iptables -A allowed -p TCP -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:DROP "
iptables -A allowed -p TCP -j DROP 


# --- logging and dropping stealth scans
iptables -A log_stealth -i $LAN_IFACE -p tcp -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptables:synflood_stealhscan "
iptables -A log_stealth -i $LAN_IFACE -p tcp -j DROP

# --- setting rules for bad_tcp_packets - implement logging for each
# drop packtes that are malformed
iptables -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptablesROP:malformed "
iptables -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptablesROP:malformed "
iptables -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j DROP
# drop syn floods and scans
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j log_stealth
iptables -A bad_tcp_packets -i $INET_IFACE -p tcp -m tcp --tcp-flags ACK,URG URG                  -j log_stealth


# --- setting rules for tcp packets and ports
# granting tomcat
iptables -A tcp_packets -p TCP -s 0/0 --dport 8080 -j allowed
# wolfenstein et server port
iptables -A tcp_packets -p TCP -s 0/0 --dport 27960 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 27950 -j allowed

# --- setting rules for udp packets and ports
# wolfenstein et server port
iptables -A udp_packets -p UDP -s 0/0 --dport 27960 -j allowed
iptables -A udp_packets -p UDP -s 0/0 --dport 27950 -j allowed
# destroy m$oft packets
iptables -A udp_packets -p UDP -i $INET_IFACE --dport 135:139 -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptablesROP "
iptables -A udp_packets -p UDP -i $INET_IFACE --dport 135:139 -j DROP
# drop dhcp requests
iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --dport 67:68 -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptablesROP "
iptables -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --dport 67:68 -j DROP

# --- setting rules for icmp_packets and services
# accept pings

## iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# accepts traceroute
## iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# --- setting metarules for INPUT
iptables -A INPUT -p TCP -j bad_tcp_packets
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
iptables -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
#iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packetss
iptables -A INPUT -p ALL -m limit --limit 1/minut --limit-burst 1 -j LOG --log-prefix "iptablesROP "
iptables -A INPUT -p ALL -j DROP


# --- setting metarules for OUTPUT
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT


# log - this shouln't happen
#iptables -A OUTPUT -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix "IPTABLES - CRITICAL: "

# enables internet sharing
iptables -A POSTROUTING -t nat -o $INET_IFACE -j MASQUERADE

Post Reply