[CS-FSLUG] Firewall fights
Stephen J. McCracken
smccracken at hcjb.org.ec
Wed Jan 25 13:40:06 CST 2006
>> Ignoring it is fine, but how do I tell my firewall to quit logging
>> that so I can concentrate on detecting genuine threats? I realize
>> you may not have a simple concrete answer for that. I'm not going
>> to be modifying a Linux kernel, so that's out.
>>
> A little grep work against the log should strip it out of view so you
> don't see it and still provide you with everything else.
The easier thing is to put the line to log the packets right at the end
of the iptables rules before the default policy kicks in. Then you add
in the ACCEPT or DROP rules above that to keep them from ever getting to
the LOG rule. Your rules would look something like the below (in
iptables-save notation which is the same as the rules, but without the
iptables command prepended to the rule). With this logging you can
check the prefix for "No Rule" and, if you don't want to see it in the
logs, add rules to the tables to ACCEPT/DROP it before it gets logged.
You can also tighten down the OUTPUT table to policy DROP after looking
at the logs to see what is getting accepted by the policy ("No Rule -
OUTPUT") and adding in what you need to ACCEPT.
(Beware of line wrapping in email)
-----------------
# I log everything at log level debug and in /etc/syslog.conf have
## 27.Jan.05 - sjm - We're logging iptables with level debug
#kern.=debug /var/log/iptables
##
# so all iptables LOGs go to /var/log/iptables rather than the main
# /var/log/messages file.
# Our IPs: 192.168.1.64 - 192.168.1.67
*filter
# Set default policies
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#:OUTPUT DROP [0:0]
:blockit - [0:0]
# #########################
#
# INPUT table
#
# #########################
# Allow loopback traffic
-A INPUT -i lo -j ACCEPT
# allow established and related packets back in
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# unconditional block - table defined below
-A INPUT -j blockit
# icmp types allowed
# (see http://www.iana.org/assignments/icmp-parameters)
# 0 - Echo reply
# 3/4 - Destination unreachable/Fragmentation needed
# 8 - echo request
# 11 - Time exceeded
-A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
-A INPUT -p icmp --icmp-type 0 -J ACCEPT
-A INPUT -p icmp --icmp-type 11 -J ACCEPT
-A INPUT -p icmp --icmp-type 3/4 -J ACCEPT
# open ssh (would you want to restrict from where?)
#-A INPUT -s 192.168.1.64 -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
# Keep RST,ACK packets out of the logs
-A INPUT -p tcp --tcp-flags ALL RST,ACK -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP
#
-A INPUT -j LOG --log-level debug --log-prefix "No Rule - INPUT :"
-A INPUT -j DROP
# The above DROP is redundant with the policy being DROP
# #########################
#
# "blockit" table
#
# #########################
# Unconditional block table
# DROP invalid packets
-A blockit -m state --state INVALID -j LOG --log-level debug
--log-prefix "State Invalid :"
-A blockit -m state --state INVALID -j DROP
# DROP non-public addresses that we shouldn't see
-A blockit -s 10.0.0.0/8 -j DROP
-A blockit -s 172.16.0.0/12 -j DROP
# Allow addresses of our other boxes
# (comment out the RETURN of the address of *this*
# box because we shouldn't see that coming in)
-A blockit -s 192.168.1.64 -j RETURN
-A blockit -s 192.168.1.65 -j RETURN
-A blockit -s 192.168.1.66 -j RETURN
-A blockit -s 192.168.1.67 -j RETURN
-A blockit -s 192.168.1.254 -j RETURN
-A blockit -s 192.168.0.0/16 -j DROP
# #########################
#
# OUTPUT table
#
# #########################
# Allow loopback traffic
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j LOG --log-level debug --log-prefix "No Rule - OUTPUT :"
#-A OUTPUT -j DROP
# The above DROP is redundant with the policy being DROP
More information about the Christiansource
mailing list