[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptable coding style

On 2005-12-04 Micha wrote:
> This is a simple samll PC homenet (mixed wlan / lan) and the router
> shipped with a standard firewall which is activated, but i still track
> the traffic on my PC, both for learning and also to recognize trojans
> and the like on the others' windows boxes - i couldn't discourage them
> from emule and they are not very careful, and we already had some
> router 'DOS' issues with botted machines 
> ... this is a students dormitory :P
> I managed to setup the routers syslog forwarding. However that's much
> traffic  (with up to 10 hits/s from outside) which i still had to sort
> out.

Well, if you want to recognize attacks, I'm afraid you will have to go
to the trouble of reading through it. Otherwise it wouldn't make much
sense to log it at all, wouldn't it?

> Instead, as compromise, the router mails log summaries now to my
> local exim.
> The matching iptables on my PC are,
> -A INPUT -p tcp -m mac --mac-source 00:13:49:05:FE:27 -m tcp --dport
> 25 -j LOG --log-prefix "__MAIL__" --log-level 7
> -A INPUT -p tcp -m mac --mac-source 00:13:49:05:FE:27 -m tcp --dport
> 25 -j ACCEPT
> and i'd like thje kernel to leave the processing chain here, since
> else the same stuff gets logged as general 'hit' a second time. 
> How can i do that ?

AFAIK once the ACCEPT rule is hit, the match shouldn't be processed any
further. If it gets logged twice: look into the rules prior to that one.

> And there's a line for blocking non-local TCP like 
> iptables -A INPUT -p tcp --dport $param1 -s ! -j REJECT

You should add "--reject-with tcp-reset" here.

> and by now i invoke this line with every port seperately ... is it also 
> possible to specify a port list like 21,22,80,111,631,866,8080,8081
> in one iptables command line ?

You need one of the modules mport or multiport for this.

Ansgar Wiechers
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."

Reply to: