FOLLOWUP Re: turning on verbose logging for iptables?
On Wed, Jul 17, 2002 at 09:22:12PM +0700, Jean Christophe ANDR?? wrote:
> Dave Price écrivait :
> > Is there a better sysntax I should be using to define IP addresses in my
> > firewall script(s)?
>
> For this question I guess there is no easy answer... It depends of what you
> are using to build your firewall script. It seems your are doing it by hand
> (as I often do) so it's up to you to choose the way you want to write it!
Here is what I ran which worked perfectly!
#!/bin/bash
#fw_log.sh - set logging on iptables 7/17/2002; dap
sourceIPtoSpy=198.68.51.11
laptop=192.168.2.98
iptables -N LOGIT # special chain to log all except fragments
iptables -A LOGIT -m state --state ESTABLISHED -j RETURN # don't log frags
iptables -A LOGIT -j LOG
iptables -A LOGIT -j RETURN
iptables -I FORWARD -s $sourceIPtoSpy -j LOGIT
iptables -I FORWARD -d $sourceIPtoSpy -j LOGIT
iptables -I FORWARD -s $laptop -j LOGIT
iptables -I FORWARD -d $laptop -j LOGIT
#end
Question: what should i run to UNDO this? By hand, I deleted most of the
rules so there is no logging to my tiny 300mb firewall drive (only 50%
full with a debian firewall running)
Here is iptables -L:
<list>
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOGIT all -- anywhere 198.68.51.11
LOGIT all -- 198.68.51.11 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain LOGIT (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere state ESTABLISHED
RETURN all -- anywhere anywhere state ESTABLISHED
LOG all -- anywhere anywhere LOG level warning
RETURN all -- anywhere anywhere
</list>
You can see there are still remnants of the test in the iptables.
Any advise or pointers appreciated!
aloha,
dave
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: