How to ACCEPT or DENY or DROP and also LOG in the same rule ?

How to ACCEPT or DENY or DROP and also LOG in the same rule ?

[Orca J.]

Hi
  I want to both DENY and LOG in the same rule ? or ACCEPT and LOG , or DENY 
and LOG
Thanks


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

RE: How to ACCEPT or DENY or DROP and also LOG in the same rule ?

[George Vieira]

write the rules twice and the first one is for -j LOG... pretty simple..

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Orca J. [mailto:orca_cs@hotmail.com]
Sent: Thursday, 04 July 2002 2:31 PM
To: netfilter@lists.samba.org
Subject: How to ACCEPT or DENY or DROP and also LOG in the same rule ?


Hi
  I want to both DENY and LOG in the same rule ? or ACCEPT and LOG , or DENY

and LOG
Thanks


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

Re: How to ACCEPT or DENY or DROP and also LOG in the same rule ?

[Michael]

I don't beleive you can.

Just do a rule pair:

<somerule to match> -j LOG
<somerule to match> -j ACCEPT

I think that, since LOG doesn't cause the packet to leave the table 
(ACCEPT and DROP do), it will continue traversal of the table until a 
match/target that does cause it to leave the table is found. So the 
matching DROP or ACCEPT rule will then dispose the packet as you wish 
after it was logged.

Cheers,
Michael


Orca J. wrote:

> Hi
>  I want to both DENY and LOG in the same rule ? or ACCEPT and LOG , or 
> DENY and LOG
> Thanks
>
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos: 
> http://photos.msn.com/support/worldwide.aspx
>
>
>

Re: How to ACCEPT or DENY or DROP and also LOG in the same rule ?

[Antony Stone]

On Thursday 04 July 2002 5:31 am, Orca J. wrote:

> Hi
>   I want to both DENY and LOG in the same rule ? or ACCEPT and LOG , or
> DENY and LOG

You can't put them both in the same rule, butyou can create a user-defined 
chain and jump to that:

iptables -N LOGDROP
iptables -A LOGDROP -j LOG --log-options........
iptables -A LOGDROP -j DROP

Then use that single target in your rules:

iptables -A INPUT -i eth0 -j LOGDROP

 

Antony/.

RE: How to ACCEPT or DENY or DROP and also LOG in the same rule ?

[Ed Street]

Hello,

Actually you can:
Rule #1 is to log 
Rule #2 is to deny

Works In any chain.

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Thursday, July 04, 2002 3:51 AM
To: netfilter@lists.samba.org
Subject: Re: How to ACCEPT or DENY or DROP and also LOG in the same rule
?

On Thursday 04 July 2002 5:31 am, Orca J. wrote:

> Hi
>   I want to both DENY and LOG in the same rule ? or ACCEPT and LOG ,
or
> DENY and LOG

You can't put them both in the same rule, butyou can create a
user-defined 
chain and jump to that:

iptables -N LOGDROP
iptables -A LOGDROP -j LOG --log-options........
iptables -A LOGDROP -j DROP

Then use that single target in your rules:

iptables -A INPUT -i eth0 -j LOGDROP

 

Antony/.

Re: How to ACCEPT or DENY or DROP and also LOG in the same rule ?

[Antony Stone]

On Thursday 04 July 2002 3:54 pm, Ed Street wrote:

> Hello,
>
> Actually you can:
> Rule #1 is to log
> Rule #2 is to deny

The original question was: I want to both DENY and LOG *in the same rule*.

Other posters suggested doing it in two rules, but this can make the rulesets 
unnecessarily long and tedious; it's far easier to read if you create your 
own chain to do the two operations and then call it from a single rule when 
you want to both LOG and DROP.

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> Sent: Thursday, July 04, 2002 3:51 AM
> To: netfilter@lists.samba.org
> Subject: Re: How to ACCEPT or DENY or DROP and also LOG in the same rule
> ?
>
> On Thursday 04 July 2002 5:31 am, Orca J. wrote:
> > Hi
> >   I want to both DENY and LOG in the same rule ? or ACCEPT and LOG ,
>
> or
>
> > DENY and LOG
>
> You can't put them both in the same rule, butyou can create a
> user-defined
> chain and jump to that:
>
> iptables -N LOGDROP
> iptables -A LOGDROP -j LOG --log-options........
> iptables -A LOGDROP -j DROP
>
> Then use that single target in your rules:
>
> iptables -A INPUT -i eth0 -j LOGDROP
>
>
>
> Antony/.

RE: How to ACCEPT or DENY or DROP and also LOG in the same rule ?

[Ed Street]

Hello,

Ok fine. 1 line

Log_drop function, parameters, goes, here

The log_drop function would do the 
Iptables foo log
Iptables foo drop


Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Thursday, July 04, 2002 11:01 AM
To: netfilter@lists.samba.org
Subject: Re: How to ACCEPT or DENY or DROP and also LOG in the same rule
?

On Thursday 04 July 2002 3:54 pm, Ed Street wrote:

> Hello,
>
> Actually you can:
> Rule #1 is to log
> Rule #2 is to deny

The original question was: I want to both DENY and LOG *in the same
rule*.

Other posters suggested doing it in two rules, but this can make the
rulesets 
unnecessarily long and tedious; it's far easier to read if you create
your 
own chain to do the two operations and then call it from a single rule
when 
you want to both LOG and DROP.

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
> Sent: Thursday, July 04, 2002 3:51 AM
> To: netfilter@lists.samba.org
> Subject: Re: How to ACCEPT or DENY or DROP and also LOG in the same
rule
> ?
>
> On Thursday 04 July 2002 5:31 am, Orca J. wrote:
> > Hi
> >   I want to both DENY and LOG in the same rule ? or ACCEPT and LOG ,
>
> or
>
> > DENY and LOG
>
> You can't put them both in the same rule, butyou can create a
> user-defined
> chain and jump to that:
>
> iptables -N LOGDROP
> iptables -A LOGDROP -j LOG --log-options........
> iptables -A LOGDROP -j DROP
>
> Then use that single target in your rules:
>
> iptables -A INPUT -i eth0 -j LOGDROP
>
>
>
> Antony/.

Re: How to ACCEPT or DENY or DROP and also LOG in the same rule ?

[Leonardo Rodrigues]

    Short answer: you cant. ipchains '-l' options doesnt exists in iptables

    Workaround: if you really need this to be done in one rule, you can
create a chain with those two commands and them use it.

iptables -N log_drop
iptables -A log_drop -j LOG --log-prefix "blabla: " .....
iptables -A log_drop -j DROP

    then, in your other chains, when you need something to be dropped and
logged, you can do:

iptables -A INPUT -s something -d someaddress -j log_drop

    This meets your 'requirements', as you're logging and dropping in the
SAME rule and you wont have unnecessary rules, as the 'log and drop' will be
created just once.

    Of course, '-j log_drop' can be used all the times you need it .....

    This should do the trick ..... in fact, you'll HAVE to do something like
this, as ipchains '-l' really doesnt exists here.

    I think you should think how good this can be. For example. I have a
script firewall based on iptables and I have lots of 'log drop' rules. Which
one of them has a special log-prefix setting. I use each one of them in
different situations, so my log shows exactly the dropped packet and WHERE
it was dropped ( log-preffix ). I can easily know if a packet was dropped on
the forward rule, input rule ......

    Sincerily,
    Leonardo Rodrigues

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Thursday, July 04, 2002 12:00 PM
Subject: Re: How to ACCEPT or DENY or DROP and also LOG in the same rule ?


> On Thursday 04 July 2002 3:54 pm, Ed Street wrote:
>
> > Hello,
> >
> > Actually you can:
> > Rule #1 is to log
> > Rule #2 is to deny
>
> The original question was: I want to both DENY and LOG *in the same rule*.