Re: iptable coding style

To: debian-firewall@lists.debian.org
Subject: Re: iptable coding style
From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
Date: Sun, 4 Dec 2005 13:58:14 +0100
Message-id: <[🔎] 20051204135814.B8855@planetcobalt.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20051204114259.5b4f7354@woody>; from codejodler@gmx.ch on Sun, Dec 04, 2005 at 11:42:59AM +0100
References: <[🔎] 20051204114259.5b4f7354@woody>

On 2005-12-04 Micha wrote:
> This is a simple samll PC homenet (mixed wlan / lan) and the router
> shipped with a standard firewall which is activated, but i still track
> the traffic on my PC, both for learning and also to recognize trojans
> and the like on the others' windows boxes - i couldn't discourage them
> from emule and they are not very careful, and we already had some
> router 'DOS' issues with botted machines 
> ... this is a students dormitory :P
> 
> I managed to setup the routers syslog forwarding. However that's much
> traffic  (with up to 10 hits/s from outside) which i still had to sort
> out.

Well, if you want to recognize attacks, I'm afraid you will have to go
to the trouble of reading through it. Otherwise it wouldn't make much
sense to log it at all, wouldn't it?

> Instead, as compromise, the router mails log summaries now to my
> local exim.
> 
> The matching iptables on my PC are,
> 
> -A INPUT -p tcp -m mac --mac-source 00:13:49:05:FE:27 -m tcp --dport
> 25 -j LOG --log-prefix "__MAIL__" --log-level 7
> 
> -A INPUT -p tcp -m mac --mac-source 00:13:49:05:FE:27 -m tcp --dport
> 25 -j ACCEPT
> 
> and i'd like thje kernel to leave the processing chain here, since
> else the same stuff gets logged as general 'hit' a second time. 
> How can i do that ?

AFAIK once the ACCEPT rule is hit, the match shouldn't be processed any
further. If it gets logged twice: look into the rules prior to that one.

> And there's a line for blocking non-local TCP like 
> 
> iptables -A INPUT -p tcp --dport $param1 -s ! 127.0.0.1 -j REJECT

You should add "--reject-with tcp-reset" here.

> and by now i invoke this line with every port seperately ... is it also 
> possible to specify a port list like 21,22,80,111,631,866,8080,8081
> in one iptables command line ?

You need one of the modules mport or multiport for this.

Regards
Ansgar Wiechers
-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668

Reply to:

References:
- iptable coding style
  - From: Micha <codejodler@gmx.ch>

Prev by Date: iptable coding style
Next by Date: Re: iptable coding style
Previous by thread: iptable coding style
Next by thread: Re: iptable coding style
Index(es):
- Date
- Thread