All of lore.kernel.org
 help / color / mirror / Atom feed
* iptables: log
@ 2003-06-10 17:05 Markus Hochmann
  0 siblings, 0 replies; 4+ messages in thread
From: Markus Hochmann @ 2003-06-10 17:05 UTC (permalink / raw)
  To: netfilter

Hello,

I am new here and hope I dont make a mistake :)

I have a router (to access the internet, DSL) from which I forwarded two 
ports (3456 tcp and udp) to 192.168.1.2 (the machine where I configure this 
fw).

Works fine, but today I have added a log, for all packets that should be 
droped. And I found some entries I cant explain. The first is this one:

Jun  10 18:31:44 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= 
MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=192.168.1.1 DST=192.168.1.2 
LEN=81 TOS=0x00 PREC=0xC0 TTL=255 ID=9997 PROTO=ICMP TYPE=5 CODE=1 
GATEWAY=192.168.1.2 [SRC=192.168.1.2 DST=192.168.1.2 LEN=53 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3456 DPT=3456 LEN=33 ]

It always comes four times and then is a break of about 2.20h. Do I need this 
icmp-redirect message? And why only for the udp-port?
And the MAC is mine (00:e0:7d:c5:e4:f3), the routers (00:50:ba:b8:a3:05) and  
08:00. What is this 08:00 for? Its there to when there is a connection in the 
LAN (without the router).

And then I get multiple of these entries (I used overnet at that point, 
something like edonkey or emule => I connected to them and then getting some 
rejected ACK-RST and ACK-SYN):

Jun  10 18:41:05 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= 
MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=80.139.182.236        
DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=11282 PROTO=TCP SPT=4662 
DPT=4038 WINDOW=0 RES=0x00 ACK RST URGP=0
Jun  7 18:43:13 tux kernel: Trash-Packet! Infos: IN=eth0 OUT= 
MAC=00:e0:7d:c5:e4:f3:00:50:ba:b8:a3:05:08:00 SRC=80.130.125.169        
DST=192.168.1.2 LEN=64 TOS=0x00 PREC=0x00 TTL=123 ID=58278 DF PROTO=TCP 
SPT=4662 DPT=4223 WINDOW=16944 RES=0x00 ACK SYN URGP=0

This is only when I use overnet! And it is always only port 4662, 4663, 8080 
and _never_ 25, 80, 110, 443, 6667, ...

Hopefully you can explain me these masseges, coz I dont want to block some 
important packets.

Greets,
Markus

This my fw-script up to now:
#!/bin/sh

#unload unneeded modules and load needed
{
  rmmod ipfwadm
  rmmod ipchains
  modprobe ip_tables
  modprobe ip_conntrack
} > /dev/null 2>&1

#clear the fw-table
iptables -F
iptables -X

#set general policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#accept everything from interface lo
iptables -A INPUT -i lo -j ACCEPT

#allow conections to tcp/3456 (overnet)
iptables -A INPUT -p tcp --destination-port 3456 -j ACCEPT

#allow packets to udp/3456 (overnet)
iptables -A INPUT -p udp --destination-port 3456 -j ACCEPT

#allow some other essential msg
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

#This is the msg from the router, dunno if nessesary
#iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT

#allow incomming ping-pong
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

#let connection-packets pass Is this not enough?
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#drop packets which are regulary send out to everybody (windows SMB)
iptables -A INPUT -p udp --destination-port 137 -j DROP
iptables -A INPUT -p udp --destination-port 138 -j DROP
iptables -A INPUT -p udp --destination-port 520 -j DROP

#Log all packets which would be droped, only to see what is dropped
#will be removed in the final version
iptables -A INPUT -j LOG --log-level 0 --log-prefix "Trash-Packet! Infos: "


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Iptables LOG
@ 2003-12-25 11:25 Rakotomandimby Mihamina
  2003-12-25 20:00 ` Stephen Smoogen
  0 siblings, 1 reply; 4+ messages in thread
From: Rakotomandimby Mihamina @ 2003-12-25 11:25 UTC (permalink / raw)
  To: netfilter

Hi every one :-)

I'm using :
kernel 2.4.23 
iptables 1.2.8
a ppp connection . 
into my kernel conf , i have enabled iptables LOG 
( 
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
 )

I try to have iptables logs into a file .

I search and i found this to make it works :
http://lists.netfilter.org/pipermail/netfilter/2003-September/046667.html

What i made is :

#1 give this iptables rule 
iptables -A INPUT -j LOG --log-level debug --log-prefix "iptables_rktmb : "

#2 modifying /etc/syslog.conf 

[...]
*.info;*.!warn;kern.!=debug;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/messages

[...]
*.=debug                                                /var/log/debug

#3 killall -HUP syslogd

But IT DOES NOT want to work ... i have nothing into /var/log/debug execpt my 
pppd logs ...

How should i manage it ? what did i miss please ? Help me . :-)
--
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina



^ permalink raw reply	[flat|nested] 4+ messages in thread
* iptables log
@ 2002-10-25  0:17 Sébastien Ferré
  0 siblings, 0 replies; 4+ messages in thread
From: Sébastien Ferré @ 2002-10-25  0:17 UTC (permalink / raw)
  To: netfilter

    Is it possible to put logs in other syslog file. If it's possible 
what's the recipe.

Thanks



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-12-25 20:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-10 17:05 iptables: log Markus Hochmann
  -- strict thread matches above, loose matches on Subject: below --
2003-12-25 11:25 Iptables LOG Rakotomandimby Mihamina
2003-12-25 20:00 ` Stephen Smoogen
2002-10-25  0:17 iptables log Sébastien Ferré

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.