[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to work with my iptables script

On 30 Aug 2004, Jacob Friis Larsen wrote:
>>>> Logging would probably also be useful.
>>>
>>> How do I do that?
>> the 'LOG' or 'ULOG' targets. 'LOG' is easier to use initially, and the
>> iptables manual page covers it.
>> It writes messages about packets that match that rule to your kernel
>> message log, which feeds into syslog.
>
> Could I do it like this:
>
> # Default rules
> iptables -P INPUT LOG DROP
> iptables -P FORWARD LOG DROP
> iptables -P OUTPUT ACCEPT

No, I fear not.  The iptables policy is not like a standard target, so
you can only specify a very limited range of options.

This is one of the reasons that I advocate a pre-written script like
'firehol' - it does the hard work of adding the logging rules, with rate
limiting and information on which rule caused the drop, etc.

Otherwise you need to manually add this as the 'final' rule called:

  iptables -j LOG ...
  iptables -j DROP ...

        Daniel

-- 
Machina Improba! Vel Mihi Ede Potum Vel Mihi Redde Nummos Meos!
Reply to: