Re: Logging packets from iptables
- To: email@example.com
- Subject: Re: Logging packets from iptables
- From: Chris Boyle <firstname.lastname@example.org>
- Date: Tue, 22 May 2001 22:50:24 +0100
- Message-id: <01052222502401.05620@celery>
- In-reply-to: <01052220372600.17656@davepc>
- References: <01052220372600.17656@davepc>
-----BEGIN PGP SIGNED MESSAGE-----
On Tuesday 22 May 2001 8:37 pm, Dave Smith wrote:
> I have recieved several packets on my little firewall originating from port
> 80 of different computers on the internet. Can I use iptables to log the
> contents of these packets, or how should I setup tcpdump or similar to dump
> the packet and the drop it?
Firstly be aware that these are probably just responses from web servers
you're browsing if they don't have the SYN (establish connection) flag set
(80 is http). If the syn flag _is_ set, and the _source_ port is 80, they may
be trying to exploit a poorly configured firewall.
You can log a lot of information about the packet (source and destination
addresses and ports, mac addresses, tcp flags etc.) with the LOG target,
though this does not log the actual data. This target does not accept or drop
a packet by itself. This will log using syslog, probably ending up in (among
other places) /var/log/syslog. I find it useful to use "presets", like this:
iptables -N suspicious
# this works:
# iptables -A suspicious -j LOG --log-prefix "suspicious activity: "
# but you probably want this to limit the rate of logging to e.g. 1 per min:
iptables -A suspicious -m limit --limit 1/m \
-j LOG --log-prefix "suspicious traffic: "
iptables -A suspicious -j DROP
iptables -A INPUT -p tcp --sport 80 --syn -j suspicious
AFAIK, there is no data to log in a syn packet, data is only sent after the
handshake has been completed. The above lines stop that from happening.
Hope this helps...
Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/
For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----