Re: How to work with my iptables script
On 30 Aug 2004, Jacob Friis Larsen wrote:
>>>> Logging would probably also be useful.
>>> How do I do that?
>> the 'LOG' or 'ULOG' targets. 'LOG' is easier to use initially, and the
>> iptables manual page covers it.
>> It writes messages about packets that match that rule to your kernel
>> message log, which feeds into syslog.
> Could I do it like this:
> # Default rules
> iptables -P INPUT LOG DROP
> iptables -P FORWARD LOG DROP
> iptables -P OUTPUT ACCEPT
No, I fear not. The iptables policy is not like a standard target, so
you can only specify a very limited range of options.
This is one of the reasons that I advocate a pre-written script like
'firehol' - it does the hard work of adding the logging rules, with rate
limiting and information on which rule caused the drop, etc.
Otherwise you need to manually add this as the 'final' rule called:
iptables -j LOG ...
iptables -j DROP ...
Machina Improba! Vel Mihi Ede Potum Vel Mihi Redde Nummos Meos!