'Re: logging question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: logging question
From:       Simon Edwards <simon () simonzone ! com>
Date:       2001-07-13 14:44:17
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> I have just set up my first iptables firewall. The firewall acts as my
> pop3/smtp/firewall. It seems to be working great although I am logging
> dropped packets whenever I connect to it with pop3. Here is the log
> message.

> And I am open to any suggestions concerning the configuration.

> Jul 12 23:59:19 hank kernel: IPT INPUT packet died: IN=eth1 OUT=
                                                         ^^^^
Did you expect the packet to be ACCEPTed via a rule on the tcp_shit chain?

Packets to eth1 don't *seem* to make it to the tcp_shit chain.

> -A INPUT -i eth0 -p icmp -j icmp_shit
> -A INPUT -i eth0 -p tcp -j tcp_shit
> -A INPUT -i eth0 -p udp -j udp_shit
> -A INPUT -d 192.168.1.255 -j ACCEPT
> -A INPUT -d 127.0.0.1 -j ACCEPT
> -A INPUT -d 192.168.1.1 -j ACCEPT
> -A INPUT -d 192.168.1.5 -j ACCEPT
> -A INPUT -d 192.168.1.0/255.255.255.0 -j ACCEPT
> -A INPUT -d 64.217.231.85 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT
> INPUT packet died: " -A FORWARD -i eth1 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT
> FORWARD packet died: " -A OUTPUT -s 127.0.0.1 -j ACCEPT
> -A OUTPUT -s 64.217.231.85 -j ACCEPT
> -A OUTPUT -s 192.168.1.1 -j ACCEPT
> -A OUTPUT -s 192.168.1.2 -j ACCEPT
> -A OUTPUT -s 192.168.1.3 -j ACCEPT
> -A OUTPUT -s 192.168.1.4 -j ACCEPT
> -A OUTPUT -s 192.168.1.5 -j ACCEPT
> -A OUTPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
> -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT
> OUTPUT packet died: " -A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN
> -j ACCEPT
> -A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A icmp_shit -p icmp -m icmp --icmp-type 0 -j ACCEPT
> -A icmp_shit -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A icmp_shit -p icmp -m icmp --icmp-type 5 -j ACCEPT
> -A icmp_shit -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A tcp_shit -p tcp -m tcp --dport 21 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 25 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 110 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 6667 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 22 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 80 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 113 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 5800 -j allowed
> -A tcp_shit -p tcp -m tcp --dport 5900 -j allowed
> -A udp_shit -p udp -m udp --sport 53 -j ACCEPT
> -A udp_shit -p udp -m udp --sport 123 -j ACCEPT
> -A udp_shit -p udp -m udp --sport 2074 -j ACCEPT
> -A udp_shit -p udp -m udp --sport 4000 -j ACCEPT
> COMMIT
> # Completed on Thu Jul 12 23:42:18 2001

- -- 
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands       "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjtPCUEACgkQuIuDmTrvhSbxAwCgjR+Mml+fuoyXLHukpcj9ImXb
pecAn1MmBf1cfbd+G6lj36+NtQPg70FG
=Aqi8
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic