Re: why incoming packet's device not logging?

[Jason Opperisano <opie@817west.com>]

On Sat, May 21, 2005 at 12:04:46AM -0700, cranium2003 wrote:
> hello,
>     I added 3 rules to iptables as
> iptables -A INPUT -j LOG

-A appends the rule to the end of the chain...let's see if that matters.

> iptables -A OUTPUT -j LOG
> iptables -A FORWARD -j LOG
>  But i am getting log of forward and output chain
> correctly but why when packet comes its incoming
> device is not logged. My IPTABLES is
> 
> # Generated by iptables-save v1.2.7a on Sat May 21
> 12:34:30 2005
> *nat
> :PREROUTING ACCEPT [123:21369]
> :POSTROUTING ACCEPT [6:360]
> :OUTPUT ACCEPT [6:360]
> -A POSTROUTING -o eth0 -p icmp -j SNAT --to-source
> 10.1.1.1
> COMMIT
> # Completed on Sat May 21 12:34:30 2005
> # Generated by iptables-save v1.2.7a on Sat May 21
> 12:34:30 2005
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [54:8496]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT 

so the first rule in INPUT, is to jump to the RH-Lokkit-0-50-INPUT
chain.

> -A INPUT -j LOG 

and the second rule is to LOG.  so let's skip down and see what
RH-Lokkit-0-50-INPUT does...

> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport
> 67:68 --dport 67:68 -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport
> 67:68 --dport 67:68 -j ACCEPT 

so we ACCEPT SMTP, HTTP, FTP, SSH, TELNET, and DHCP traffic--so none of
that will ever make it to your LOG rule.

> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT 

and now we've unconditionally ACCEPTed all traffic arriving in on lo,
eth0, and eth1.  if those are all the interfaces you have, then there's
no traffic left that will traverse any further rules.

<--snip-->

if you're looking to create you own firewall script from scratch, do
just that--start from scratch:

  #!/bin/bash
  # delete all rules and user-defined chains
  for t in mangle nat filter; do
    iptables -t $t -F
    iptables -t $t -X
    iptables -t $t -Z
  done

  # set all policies to ACCEPT
  for c in PREROUTING POSTROUTING OUTPUT; do
    for t in mangle nat; do
      iptables -t $t -P $c ACCEPT
    done
  done

  for c in INPUT FORWARD OUTPUT; do
    for t in mangle filter; do
      iptables -t $t -P $c ACCEPT
    done
  done

alternatively, you could type "service iptables stop" which basically
does the above...but what's the fun in that?

after everything is cleared out--then you can start adding your own
rules.

-j

--
"Peter: This party couldn't be better if Jesus was here.
 Jesus: For my next miracle, I will turn water... into FUNK."
        --Family Guy