how to log dropped packet

how to log dropped packet

[hamals]

hello

I wrote all my firewall rules, and now I would like to log 
all packet that will be dropped by my policy rule..

..how can I do it?

what kind of rules do I need?..and where have I to write 
them?

thanks
_______________________________________
Connessione ed e-mail gratuita da 10 mb
consultabile tramite web e tramite pop.
www.infinito.it vieni a scoprire tutti 
i nostri servizi!

http://www.infinito.it/xmail

Re: how to log dropped packet

[Wan Seman Bin Wan Ismail]

for example:-

Accept Rule:
iptables -A  block -p tcp --dport 80  -j LOG --log-level info 
--log-prefix "Allow 80 :"
iptables -A  block -p tcp --dport 80  -j ACCEPT

Drop Rule:
iptables -A  block -p tcp --dport 139  -j LOG --log-level info 
--log-prefix "Block 139 :"
iptables -A  block -p tcp --dport 139  -j DROP

so in conclusion, the first rule u must log then follow by accpet or 
drop :-)



hamals@infinito.it wrote:

>
> hello
>
> I wrote all my firewall rules, and now I would like to log all packet 
> that will be dropped by my policy rule..
>
> ..how can I do it?
>
> what kind of rules do I need?..and where have I to write them?
>
> thanks
> _______________________________________
> Connessione ed e-mail gratuita da 10 mb
> consultabile tramite web e tramite pop.
> www.infinito.it vieni a scoprire tutti i nostri servizi!
>
> http://www.infinito.it/xmail
>
>
>

Re: how to log dropped packet

[Florian Boelstler]

What I usually do is:

---------------------------------------------------------------------
#!/bin/sh

# Some handy variables

IPTABLES=`which iptables`
d_HTTP="http,https"
p_high="1024:65535"
EXT="wlan0"


# DROP & LOG chain

$IPTABLES -N DROPnLOG
$IPTABLES -A DROPnLOG -p ICMP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-ICMP "
$IPTABLES -A DROPnLOG -p TCP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-TCP "
$IPTABLES -A DROPnLOG -p UDP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-UDP "


# Default rule for established connections

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Put several rules to allow outgoing traffic here. E.g. for web sites:

$IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high
-m multiport --destination-ports $d_HTTP -j ACCEPT


# Wipe anything not matching any of the rulesets above

$IPTABLES -A INPUT -j DROPnLOG
$IPTABLES -A FORWARD -j DROPnLOG
$IPTABLES -A OUTPUT -j DROPnLOG

---------------------------------------------------------------------


The script above requires that you're kernel is aware of the ULOG target.
This allows to log iptable's output to another destination (i.e. file)
than syslog.
You will need an appropriate ULOG configuration file.

The output will look like this:
Jan  1 01:00:00 beamstation DROP-UDP  IN= OUT=wlan0 MAC=
SRC=192.168.2.100 DST=192.168.2.255 LEN=268 TOS=00 PREC=0x00 TTL=64 ID=8
DF PROTO=UDP SPT=138 DPT=138 LEN=248


Good luck,

   Florian

Re: how to log dropped packet

[Jason Opperisano]

On Tue, 2004-09-28 at 06:12, hamals@infinito.it wrote:
> hello
> 
> I wrote all my firewall rules, and now I would like to log 
> all packet that will be dropped by my policy rule..
> 
> ..how can I do it?
> 
> what kind of rules do I need?..and where have I to write 
> them?
> 
> thanks

if you're trying to catch the packets that will be dropped by the chain
policy, the last rule in that chain should be the log rule.  for
example:

  iptables -A INPUT -j LOG --log-prefix "FW DROP IN: "

see:

  man iptables
or
  iptables -j LOG -h

for all the available options for the LOG target.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: how to log dropped packet

[Aleksandar Milivojevic]

hamals@infinito.it wrote:
> 
> hello
> 
> I wrote all my firewall rules, and now I would like to log all packet 
> that will be dropped by my policy rule..
> 
> ..how can I do it?
> 
> what kind of rules do I need?..and where have I to write them?

Use the LOG target.

However, if this is your firewall host toward Internet, are you sure you 
want to log *everything* that is dropped?  There are so many worms and 
automatic scanning tools out there that your logs will get *huge* with 
nothing but crap very fast.  This is especially true for Windows 
specific TCP and UDP ports.  Anything that might be interesting will get 
completely lost in all that noise.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: how to log dropped packet

[Jose Maria Lopez]

El mar, 28 de 09 de 2004 a las 12:12, hamals@infinito.it escribió:
> hello
> 
> I wrote all my firewall rules, and now I would like to log 
> all packet that will be dropped by my policy rule..
> 
> ..how can I do it?
> 
> what kind of rules do I need?..and where have I to write 
> them?
> 
> thanks

Just add at the end of your rules a rule like this:

iptables -A INPUT/OUTPUT/FORWARD -j LOG

with all the options you want to have. Then let the
default policy (DROP I suppose) act.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: how to log dropped packet

[Jose Maria Lopez]

El mar, 28 de 09 de 2004 a las 16:21, Aleksandar Milivojevic escribió:
> Use the LOG target.
> 
> However, if this is your firewall host toward Internet, are you sure you 
> want to log *everything* that is dropped?  There are so many worms and 
> automatic scanning tools out there that your logs will get *huge* with 
> nothing but crap very fast.  This is especially true for Windows 
> specific TCP and UDP ports.  Anything that might be interesting will get 
> completely lost in all that noise.

He could use the -m limit match to limit the number of logs
he is having. It's interesting to do so for ports like
445 and so.
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: how to log dropped packet

[Alistair Tonner]

On September 28, 2004 11:37 am, Florian Boelstler wrote:
> I forgot to paste a very important statement:
>
> Florian Boelstler wrote:
> > # DROP & LOG chain
> >
> > $IPTABLES -N DROPnLOG
> > $IPTABLES -A DROPnLOG -p ICMP -j ULOG --ulog-nlgroup 1 --ulog-prefix
> > "DROP-ICMP "
> > $IPTABLES -A DROPnLOG -p TCP -j ULOG --ulog-nlgroup 1 --ulog-prefix
> > "DROP-TCP "
> > $IPTABLES -A DROPnLOG -p UDP -j ULOG --ulog-nlgroup 1 --ulog-prefix
> > "DROP-UDP "
>
> $IPTABLES -A DROPnLOG -j DROP
>
> [ ... ]


	Indeed an important component -- the point being that user created tables 
cannot have a POLICY set and when a packet reaches the end of a user created 
table, unless otherwise set, the packet RETURNS to the calling table and 
continues to traverse it again at that point.

	(just clarifying for the record)


	Alistair.Tonner

Re: how to log dropped packet

[Florian Boelstler]

I forgot to paste a very important statement:

Florian Boelstler wrote:
> # DROP & LOG chain
> 
> $IPTABLES -N DROPnLOG
> $IPTABLES -A DROPnLOG -p ICMP -j ULOG --ulog-nlgroup 1 --ulog-prefix
> "DROP-ICMP "
> $IPTABLES -A DROPnLOG -p TCP -j ULOG --ulog-nlgroup 1 --ulog-prefix
> "DROP-TCP "
> $IPTABLES -A DROPnLOG -p UDP -j ULOG --ulog-nlgroup 1 --ulog-prefix
> "DROP-UDP "

$IPTABLES -A DROPnLOG -j DROP

[ ... ]

Re: how to log dropped packet

[Florian Boelstler]

Hi,

Alistair Tonner wrote:
> 	Indeed an important component -- the point being that user created tables 
> cannot have a POLICY set and when a packet reaches the end of a user created 
> table, unless otherwise set, the packet RETURNS to the calling table and 
> continues to traverse it again at that point.

Thanks for pointing this out :)

Regards,

   Florian