[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables log-all and limits



hi, my iptables config can be reduced to the following example, which
let's ssh pass and drops everything else.

  iptables -P INPUT DROP
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  iptables -A INPUT -j LOG

this works perfectly as i want it, but every now and then, i get
portscanned, and my kern.log grows like 14Mb in size because of that
LOG rule.

using the limitig features of iptables, i can say

  iptables -A INPUT -j LOG -m limit --limit 5/minute --limit-burst 5

to make it show a max. of 5/minute with an initial burst of 5.
however, this way, a lot of information will be lost. granted,
portscans can only be limited that way, but i am wondering if there's
a method to limit logs for a specific type of package (i.e. same
destination socket) only? like commercial products (e.g. FW-1) do. any
clues?

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
"may your future be limited only by your dreams."
                                                  -- christa mcauliffe

Attachment: pgpnIeemKIGLm.pgp
Description: PGP signature


Reply to: