[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Logging packets from iptables

Hash: SHA1

On Tuesday 22 May 2001  8:37 pm, Dave Smith wrote:
> I have recieved several packets on my little firewall originating from port
> 80 of different computers on the internet. Can I use iptables to log the
> contents of these packets, or how should I setup tcpdump or similar to dump
> the packet and the drop it?

Firstly be aware that these are probably just responses from web servers 
you're browsing if they don't have the SYN (establish connection) flag set 
(80 is http). If the syn flag _is_ set, and the _source_ port is 80, they may 
be trying to exploit a poorly configured firewall.

You can log a lot of information about the packet (source and destination 
addresses and ports, mac addresses, tcp flags etc.) with the LOG target, 
though this does not log the actual data. This target does not accept or drop 
a packet by itself. This will log using syslog, probably ending up in (among 
other places) /var/log/syslog. I find it useful to use "presets", like this:

iptables -N suspicious
# this works:
# iptables -A suspicious -j LOG --log-prefix "suspicious activity: "
# but you probably want this to limit the rate of logging to e.g. 1 per min:
iptables -A suspicious -m limit --limit 1/m \
 -j LOG --log-prefix "suspicious traffic: "
iptables -A suspicious -j DROP

iptables -A INPUT -p tcp --sport 80 --syn -j suspicious

AFAIK, there is no data to log in a syn packet, data is only sent after the 
handshake has been completed. The above lines stop that from happening.

Hope this helps...

- -- 
Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/
For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Reply to: