[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: logging question
From: Simon Edwards <simon () simonzone ! com>
Date: 2001-07-13 14:44:17
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I have just set up my first iptables firewall. The firewall acts as my
> pop3/smtp/firewall. It seems to be working great although I am logging
> dropped packets whenever I connect to it with pop3. Here is the log
> message.
> And I am open to any suggestions concerning the configuration.
> Jul 12 23:59:19 hank kernel: IPT INPUT packet died: IN=eth1 OUT=
^^^^
Did you expect the packet to be ACCEPTed via a rule on the tcp_shit chain?
Packets to eth1 don't *seem* to make it to the tcp_shit chain.
> -A INPUT -i eth0 -p icmp -j icmp_shit
> -A INPUT -i eth0 -p tcp -j tcp_shit
> -A INPUT -i eth0 -p udp -j udp_shit
> -A INPUT -d 192.168.1.255 -j ACCEPT
> -A INPUT -d 127.0.0.1 -j ACCEPT
> -A INPUT -d 192.168.1.1 -j ACCEPT
> -A INPUT -d 192.168.1.5 -j ACCEPT
> -A INPUT -d 192.168.1.0/255.255.255.0 -j ACCEPT
> -A INPUT -d 64.217.231.85 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT
> INPUT packet died: " -A FORWARD -i eth1 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT
> FORWARD packet died: " -A OUTPUT -s 127.0.0.1 -j ACCEPT
> -A OUTPUT -s 64.217.231.85 -j ACCEPT
> -A OUTPUT -s 192.168.1.1 -j ACCEPT
> -A OUTPUT -s 192.168.1.2 -j ACCEPT
> -A OUTPUT -s 192.168.1.3 -j ACCEPT
> -A OUTPUT -s 192.168.1.4 -j ACCEPT
> -A OUTPUT -s 192.168.1.5 -j ACCEPT
> -A OUTPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
> -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT
> OUTPUT packet died: " -A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN
> -j ACCEPT
> -A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A icmp_shit -p icmp -m icmp --icmp-type 0 -j ACCEPT
> -A icmp_shit -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A icmp_shit -p icmp -m icmp --icmp-type 5 -j ACCEPT
> -A icmp_shit -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A tcp_shit -p tcp -m tcp --dport 21 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 25 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 110 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 6667 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 22 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 80 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 113 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 5800 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 5900 -j allowed
> -A udp_shit -p udp -m udp --sport 53 -j ACCEPT
> -A udp_shit -p udp -m udp --sport 123 -j ACCEPT
> -A udp_shit -p udp -m udp --sport 2074 -j ACCEPT
> -A udp_shit -p udp -m udp --sport 4000 -j ACCEPT
> COMMIT
> # Completed on Thu Jul 12 23:42:18 2001
- --
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjtPCUEACgkQuIuDmTrvhSbxAwCgjR+Mml+fuoyXLHukpcj9ImXb
pecAn1MmBf1cfbd+G6lj36+NtQPg70FG
=Aqi8
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic