debugging rc.firewall

debugging rc.firewall

[Mark Tessier]

In trying to debug rc.firewall on a gateway/firewall between a LAN subnet and DMZ subnet, I've put in the following

iptables -A INPUT -i eth1 -j LOG

immediately after iptables --policy INPUT DROP

This goes the same for the forward policy. I've checked /var/log/messages and nothing is written to it. In this rc.firewall script, the "reset chains and set policies" section is near the beginning, after the "set up enviro variables" section and the "enable kernel monitoring support" section. This is what the 

# Reset chains and set policies

# Remove any existing rules from all chains
iptables -t filter --flush
iptables -t nat --flush
iptables -t mangle --flush

# Set traffic on the loopback interface to unlimited
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# Set the default policy to drop
iptables --policy INPUT DROP
iptabes -A INPUT -i $LAN_IPADDR -j LOG 
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A FORWARD -i $LAN_IPADDR -j LOG

iptables -t nat --policy PREROUTING DROP
iptables -t nat --policy OUTPUT DROP
iptables -t nat --policy POSTROUTING DROP

iptables -t mangle --policy PREROUTING DROP
iptables -t mangle --policy OUTPUT DROP

# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

As mentioned my log messages are not registering in /var/log/messages and I'm not sure why. 

-- 
Thanks,

Mark

RE: debugging rc.firewall

[Nathan Cassano]

Hi Mark,
	Perhaps you are just looking in the wrong places. Have you tried
the 'dmesg' command to view the kernel message output? Check out your
syslog.conf you see that you are properly logging kernel messages. 

I use the following logging configuration.

/etc/syslog.conf
kern.*             -/var/log/kernel

Finally give the syslogd a 'kill -HUP' if you change this file.

Re: debugging rc.firewall

[Antony Stone]

On Tuesday 18 June 2002 6:06 pm, Mark Tessier wrote:

> In trying to debug rc.firewall on a gateway/firewall between a LAN subnet
> and DMZ subnet, I've put in the following
>
> iptables -A INPUT -i eth1 -j LOG
>
> immediately after iptables --policy INPUT DROP
>
> As mentioned my log messages are not registering in /var/log/messages and
> I'm not sure why.

You need to specify the "logging level" so that syslogd.conf knows what 
category the messages are are can send them to the appropriate file.

Depending on what version of iptables you have, you need to say:

iptables -A INPUT -i eth1 -j LOG --log-level=<level>

where <level> is either a number or a word (some versions of iptables don't 
accept the word variant, but it is more intuitive if you can use that, so try 
it first and see if it is accepted - if not, use the number instead).

I use --log-level=info and this logs quite happily into /var/log/messages

I believe the corresponding numeric value for this is 6, so you would say:

iptables -A INPUT -i eth1 -j LOG --log-level=6

Note that you can also specify --log-prefix as an option to the LOG target, 
which puts a fixed message into the log entry - this can be useful for 
indicating which one of your LOG rules was responsible for generating a given 
logfile line.

eg: iptables -A INPUT -i eth1 -j LOG --log-level=info --log-prefix="Input"
iptables -A FORWARD -i eth1 -j LOG --log-level=info --log-prefix="Forward"

etc....

 

Antony,

--set-mark limit

[Luiz Fernando T. Campos]

[-- Attachment #1: Type: text/plain, Size: 1645 bytes --]

hello guys,

I have several links to limit the bandwidth,
so I need to know what is the maximum value
for the --set-mark value in the mangle table

I need something near a thousand diferent marks

like this one:
iptables -t mangle -A OUTPUT -o eth0 -p tcp -s ..... --dport smtp -j MARK --set-mark 0811
iptables -t mangle -A OUTPUT -o eth1 -p tcp --sport smtp -d ..... -j MARK --set-mark 0812

why the numbers are so high?

1) there are SEVERAL partitions to be made.
2) the numbers are related with the service being limited for better administration.

I use TC from iproute2 and iptables 1.26a kernel 2.4.18

if someone knows that it will work or if I need a patch, 
I'll be very thankfull.




-- 
Luiz Fernando T. Campos
Sys Admin
Multibroker S/A
ryche@multibroker.com.br

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.8

mQENAzsAMEIAAAEIAN/mqLpQ3tWJiXFJB/xvISaA7iKcEq2PrSnu9jx9xGV50sLI
DaAFn5aPSXyWAYwHQz83srwkPbsxbKLCGiCLIaGq4Q9LClomuaBt6vtZvsE1fOyq
EcYZBYRgu6PBYzrsvhHwsZb98h2Rxj1OaRYnCfjiVqiOrtmFe7j62mrDYO7mdtvL
DRLNF5eyHoqzTMCneAimwt8FK3mLH71j/pJTbsLkViynOX6H+qlJcVT+Oeh4/zcy
l2HSsSy+ygiAyZWQ64dhiAvMAPcgnn2e3wXFuwzAX0ff9cO3qQmNH47x/7IS2og1
vHkAL2oQVsx3yAvXGbBikQgOd6YSpcV2xt216dkABRG0EHJ5Y2hlQHVvbC5jb20u
YnKJARUDBRA7ADBCpcV2xt216dkBAc0gB/4ma/OGKgIpZcVsLsLAacxW4r/wKsHS
1vyXdxzbp1hO+Py4Uh7CgCFE4jsL9iGaIfhnjudPIbJGYuGFFRVrq1d4NnYI1D8c
10xH9WqK7k1K7nMe/Jeirkr/RHFC/OF80/Q0qlgdRYYNpkjvkf98RWbfhAgJTqbB
73x8cgtt0fIS3yRczUA1V2wWRk1usHojl6pzqnmBqPQPavy8OYnBjw6r2/gJO53e
KQLWqIRqsC+gEYaGxnL3wspG4NudfdupxtzBMrLwA6qmpmCgCDDFoGc7dpahd9vd
hR7ID7YdA7mmO/ulSuXyZMUdkSARhqMDno5KdwS3UXYzzM5D9u2poOfE
=/ZNV
-----END PGP PUBLIC KEY BLOCK-----

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2028 bytes --]

Re: --set-mark limit

[Antony Stone]

On Tuesday 18 June 2002 7:31 pm, Luiz Fernando T. Campos wrote:

> hello guys,
>
> I have several links to limit the bandwidth,
> so I need to know what is the maximum value
> for the --set-mark value in the mangle table

According to the source code, it's an unsigned long, which on my machine 
means you can use values from 0 to (2^32)-1 = 4294967295

Should be enough for your purposes :-)

 

Antony.

Re: --set-mark limit

[Patrick Schaaf]

> I have several links to limit the bandwidth,
> so I need to know what is the maximum value
> for the --set-mark value in the mangle table

It's an unsigned 32 bit value, so the maximum is 4294967295.

> I need something near a thousand diferent marks
> if someone knows that it will work or if I need a patch, 

It will work for you, at least in this respect.

best regards
  Patrick

Re: --set-mark limit

[Luiz Fernando T. Campos]

[-- Attachment #1: Type: text/plain, Size: 1438 bytes --]

Antony Stone wrote:
> 
> On Tuesday 18 June 2002 7:31 pm, Luiz Fernando T. Campos wrote:
> 
> > hello guys,
> >
> > I have several links to limit the bandwidth,
> > so I need to know what is the maximum value
> > for the --set-mark value in the mangle table
> 
> According to the source code, it's an unsigned long, which on my machine
> means you can use values from 0 to (2^32)-1 = 4294967295
> 
> Should be enough for your purposes :-)
> 
> 
> 
> Antony.

That's nice!
Thanks guys!

[]'s


-- 
Luiz Fernando T. Campos
Sys Admin
Multibroker
ryche@multibroker.com.br

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.8

mQENAzsAMEIAAAEIAN/mqLpQ3tWJiXFJB/xvISaA7iKcEq2PrSnu9jx9xGV50sLI
DaAFn5aPSXyWAYwHQz83srwkPbsxbKLCGiCLIaGq4Q9LClomuaBt6vtZvsE1fOyq
EcYZBYRgu6PBYzrsvhHwsZb98h2Rxj1OaRYnCfjiVqiOrtmFe7j62mrDYO7mdtvL
DRLNF5eyHoqzTMCneAimwt8FK3mLH71j/pJTbsLkViynOX6H+qlJcVT+Oeh4/zcy
l2HSsSy+ygiAyZWQ64dhiAvMAPcgnn2e3wXFuwzAX0ff9cO3qQmNH47x/7IS2og1
vHkAL2oQVsx3yAvXGbBikQgOd6YSpcV2xt216dkABRG0EHJ5Y2hlQHVvbC5jb20u
YnKJARUDBRA7ADBCpcV2xt216dkBAc0gB/4ma/OGKgIpZcVsLsLAacxW4r/wKsHS
1vyXdxzbp1hO+Py4Uh7CgCFE4jsL9iGaIfhnjudPIbJGYuGFFRVrq1d4NnYI1D8c
10xH9WqK7k1K7nMe/Jeirkr/RHFC/OF80/Q0qlgdRYYNpkjvkf98RWbfhAgJTqbB
73x8cgtt0fIS3yRczUA1V2wWRk1usHojl6pzqnmBqPQPavy8OYnBjw6r2/gJO53e
KQLWqIRqsC+gEYaGxnL3wspG4NudfdupxtzBMrLwA6qmpmCgCDDFoGc7dpahd9vd
hR7ID7YdA7mmO/ulSuXyZMUdkSARhqMDno5KdwS3UXYzzM5D9u2poOfE
=/ZNV
-----END PGP PUBLIC KEY BLOCK-----

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2028 bytes --]