why incoming packet's device not logging?

why incoming packet's device not logging?

[cranium2003]

hello,
    I added 3 rules to iptables as
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
 But i am getting log of forward and output chain
correctly but why when packet comes its incoming
device is not logged. My IPTABLES is

# Generated by iptables-save v1.2.7a on Sat May 21
12:34:30 2005
*nat
:PREROUTING ACCEPT [123:21369]
:POSTROUTING ACCEPT [6:360]
:OUTPUT ACCEPT [6:360]
-A POSTROUTING -o eth0 -p icmp -j SNAT --to-source
10.1.1.1
COMMIT
# Completed on Sat May 21 12:34:30 2005
# Generated by iptables-save v1.2.7a on Sat May 21
12:34:30 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [54:8496]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT 
-A INPUT -j LOG 
-A FORWARD -j RH-Lokkit-0-50-INPUT 
-A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -o eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j LOG 
-A OUTPUT -j LOG 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25
--tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80
--tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21
--tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22
--tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23
--tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport
67:68 --dport 67:68 -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport
67:68 --dport 67:68 -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023
--tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with
icmp-port-unreachable 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049
--tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with
icmp-port-unreachable 
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023
-j REJECT --reject-with icmp-port-unreachable 
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j
REJECT --reject-with icmp-port-unreachable 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport
6000:6009 --tcp-flags SYN,RST,ACK SYN -j REJECT
--reject-with icmp-port-unreachable 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100
--tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with
icmp-port-unreachable 
COMMIT
# Completed on Sat May 21 12:34:30 2005






		
__________________________________ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail 

Re: why incoming packet's device not logging?

[Jonas Berlin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting cranium2003 on 2005-05-21 07:04 UTC:
> hello,
>     I added 3 rules to iptables as
> iptables -A INPUT -j LOG
> iptables -A OUTPUT -j LOG
> iptables -A FORWARD -j LOG
>  But i am getting log of forward and output chain
> correctly but why when packet comes its incoming
> device is not logged. My IPTABLES is
  <snip>
> -A INPUT -j RH-Lokkit-0-50-INPUT 
> -A INPUT -j LOG 
  <snip>
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT 

It seems that these last three rules accept basically all packets and
thus the LOG rule is never reached.. Or do you have more network cards
than eth0 and eth1 ?

You say it works for FORWARD, but I don't think I see how it could..

I wonder if those ACCEPTs are there by mistake.. maybe they should be at
the end of the RH-Lokkit-0-50-INPUT chain instead?

If you need further help, please give more info about your network setup.

- --
- - xkr47
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCjwh5xyF48ZTvn+4RAiQnAJ96URdIrQ37/dbn2+LNUNameG3vHwCfewQ+
LJ6nyzYfe4Zg4L+Xr3ifXyE=
=npwq
-----END PGP SIGNATURE-----

Re: why incoming packet's device not logging?

[cranium2003]

hello,

>   <snip>
> > -A INPUT -j RH-Lokkit-0-50-INPUT 
> > -A INPUT -j LOG 
>   <snip>
> > -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT 
> > -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT 
> > -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT 
> 
> It seems that these last three rules accept
> basically all packets and
> thus the LOG rule is never reached.. Or do you have
> more network cards
> than eth0 and eth1 ?
> 
> You say it works for FORWARD, but I don't think I
> see how it could..
>    
> I wonder if those ACCEPTs are there by mistake..
> maybe they should be at
> the end of the RH-Lokkit-0-50-INPUT chain instead?
> 
> If you need further help, please give more info
> about your network setup.

 my ifconfig is
eth0      Link encap:Ethernet  HWaddr
00:80:48:C3:11:94  
          inet addr:10.1.1.1  Bcast:10.255.255.255 
Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500 
Metric:1
          RX packets:110647 errors:0 dropped:0
overruns:0 frame:0
          TX packets:97 errors:0 dropped:0 overruns:0
carrier:0
          collisions:1 txqueuelen:1000 
          RX bytes:6839310 (6.5 Mb)  TX bytes:6715
(6.5 Kb)
          Interrupt:11 Base address:0xdc00 

eth1      Link encap:Ethernet  HWaddr
00:08:A1:43:61:F5  
          inet addr:192.168.1.10  Bcast:192.168.1.255 
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500 
Metric:1
          RX packets:33 errors:0 dropped:0 overruns:0
frame:0
          TX packets:29 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3494 (3.4 Kb)  TX bytes:2246 (2.1
Kb)
          Interrupt:9 Base address:0x9c00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0
frame:0
          TX packets:0 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

my routing table is
Kernel IP routing table
Destination     Gateway         Genmask         Flags
Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U    
0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U    
0      0        0 eth1
10.0.0.0        0.0.0.0         255.0.0.0       U    
0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U    
0      0        0 lo
0.0.0.0         10.0.2.10       0.0.0.0         UG   
0      0        0 eth0

regards,
cranium.




		
__________________________________ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail 

Re: why incoming packet's device not logging?

[Jason Opperisano]

On Sat, May 21, 2005 at 12:04:46AM -0700, cranium2003 wrote:
> hello,
>     I added 3 rules to iptables as
> iptables -A INPUT -j LOG

-A appends the rule to the end of the chain...let's see if that matters.

> iptables -A OUTPUT -j LOG
> iptables -A FORWARD -j LOG
>  But i am getting log of forward and output chain
> correctly but why when packet comes its incoming
> device is not logged. My IPTABLES is
> 
> # Generated by iptables-save v1.2.7a on Sat May 21
> 12:34:30 2005
> *nat
> :PREROUTING ACCEPT [123:21369]
> :POSTROUTING ACCEPT [6:360]
> :OUTPUT ACCEPT [6:360]
> -A POSTROUTING -o eth0 -p icmp -j SNAT --to-source
> 10.1.1.1
> COMMIT
> # Completed on Sat May 21 12:34:30 2005
> # Generated by iptables-save v1.2.7a on Sat May 21
> 12:34:30 2005
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [54:8496]
> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT 

so the first rule in INPUT, is to jump to the RH-Lokkit-0-50-INPUT
chain.

> -A INPUT -j LOG 

and the second rule is to LOG.  so let's skip down and see what
RH-Lokkit-0-50-INPUT does...

> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport
> 67:68 --dport 67:68 -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport
> 67:68 --dport 67:68 -j ACCEPT 

so we ACCEPT SMTP, HTTP, FTP, SSH, TELNET, and DHCP traffic--so none of
that will ever make it to your LOG rule.

> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT 
> -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT 

and now we've unconditionally ACCEPTed all traffic arriving in on lo,
eth0, and eth1.  if those are all the interfaces you have, then there's
no traffic left that will traverse any further rules.

<--snip-->

if you're looking to create you own firewall script from scratch, do
just that--start from scratch:

  #!/bin/bash
  # delete all rules and user-defined chains
  for t in mangle nat filter; do
    iptables -t $t -F
    iptables -t $t -X
    iptables -t $t -Z
  done

  # set all policies to ACCEPT
  for c in PREROUTING POSTROUTING OUTPUT; do
    for t in mangle nat; do
      iptables -t $t -P $c ACCEPT
    done
  done

  for c in INPUT FORWARD OUTPUT; do
    for t in mangle filter; do
      iptables -t $t -P $c ACCEPT
    done
  done

alternatively, you could type "service iptables stop" which basically
does the above...but what's the fun in that?

after everything is cleared out--then you can start adding your own
rules.

-j

--
"Peter: This party couldn't be better if Jesus was here.
 Jesus: For my next miracle, I will turn water... into FUNK."
        --Family Guy