[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

FOLLOWUP Re: turning on verbose logging for iptables?

On Wed, Jul 17, 2002 at 09:22:12PM +0700, Jean Christophe ANDR?? wrote:
> Dave Price écrivait :
> > Is there a better sysntax I should be using to define IP addresses in my
> > firewall script(s)?
> 
> For this question I guess there is no easy answer... It depends of what you
> are using to build your firewall script. It seems your are doing it by hand
> (as I often do) so it's up to you to choose the way you want to write it!

Here is what I ran which worked perfectly!

#!/bin/bash
#fw_log.sh - set logging on iptables 7/17/2002; dap

sourceIPtoSpy=198.68.51.11
laptop=192.168.2.98

  iptables -N LOGIT # special chain to log all except fragments

  iptables -A LOGIT -m state --state ESTABLISHED -j RETURN # don't log frags
  iptables -A LOGIT -j LOG
  iptables -A LOGIT -j RETURN

  iptables -I FORWARD -s $sourceIPtoSpy -j LOGIT
  iptables -I FORWARD -d $sourceIPtoSpy -j LOGIT

  iptables -I FORWARD -s $laptop -j LOGIT
  iptables -I FORWARD -d $laptop -j LOGIT
#end

Question: what should i run to UNDO this? By hand, I deleted most of the
rules so there is no logging to my tiny 300mb firewall drive (only 50%
full with a debian firewall running)

Here is iptables -L:
<list>
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           state ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere           state ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LOGIT      all  --  anywhere             198.68.51.11       
LOGIT      all  --  198.68.51.11         anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere           tcp dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable 
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain LOGIT (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere           state ESTABLISHED 
RETURN     all  --  anywhere             anywhere           state ESTABLISHED 
LOG        all  --  anywhere             anywhere           LOG level warning 
RETURN     all  --  anywhere             anywhere           
</list>
You can see there are still remnants of the test in the iptables.

Any advise or pointers appreciated!

aloha,
dave


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: