Re: Logging packets from iptables

[Chris Boyle <chrisb@wincoll.ac.uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 22 May 2001  8:37 pm, Dave Smith wrote:
> I have recieved several packets on my little firewall originating from port
> 80 of different computers on the internet. Can I use iptables to log the
> contents of these packets, or how should I setup tcpdump or similar to dump
> the packet and the drop it?

Firstly be aware that these are probably just responses from web servers 
you're browsing if they don't have the SYN (establish connection) flag set 
(80 is http). If the syn flag _is_ set, and the _source_ port is 80, they may 
be trying to exploit a poorly configured firewall.

You can log a lot of information about the packet (source and destination 
addresses and ports, mac addresses, tcp flags etc.) with the LOG target, 
though this does not log the actual data. This target does not accept or drop 
a packet by itself. This will log using syslog, probably ending up in (among 
other places) /var/log/syslog. I find it useful to use "presets", like this:

iptables -N suspicious
# this works:
# iptables -A suspicious -j LOG --log-prefix "suspicious activity: "
# but you probably want this to limit the rate of logging to e.g. 1 per min:
iptables -A suspicious -m limit --limit 1/m \
 -j LOG --log-prefix "suspicious traffic: "
iptables -A suspicious -j DROP

iptables -A INPUT -p tcp --sport 80 --syn -j suspicious

AFAIK, there is no data to log in a syn packet, data is only sent after the 
handshake has been completed. The above lines stop that from happening.

Hope this helps...

- -- 
Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/
For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7Ct8jD834tscfhTwRAib3AJ9Rw6zr1P7xOiSAivPnbH1GTLrbhACffKd/
8l3lQbjcVn4fsDunuSkdFGM=
=8pof
-----END PGP SIGNATURE-----