Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
3 Pages V   1 2 3 >  
Reply to this topicStart new topic
> Iptables Question/suggestion, Whitebox 3.0
Robert83
post Feb 27 2004, 06:42 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

Well I did it, I'm using browsing the internet trough the firewall computer now [Only the firewall and I are connected, nothing else, for security/testing reasons].

So everything is nice acording to www.grc.com SHIELDSUP!, I'm running in all my ports in stealth mode, I can be pinged [do I have to enable pinging for the firewall itself?, or is it enough for the mailserver,ftp,http?]. How can I drop pings with my firewall?

My current firewall [iptables] looks like this :

NOTE: eth0 is internal network [192.168.0.0] ,eth1 is external network [xxx.xxx.xxx.xxx]

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT [all packets from in to out forward]
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
[allow established,related connections from outside to get inside]
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[the same?, not sure...please explain]
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT [to accept connections to firewall from inside]
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT [to accept connections to firewall from inside]
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 21 --syn -j ACCEPT
[the above four, I would like to allow, but they are in stealth mode...why?, please note
that non of those servers are up ...maybe that's why I'm getting the stealth mode, instead of
CLOSED or OPEN ?]
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth1 -j SNAT --to-source
xxx.xxx.xxx.xxx [192.168.0.0 --> xxx.xxx.xxx.xxx]
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP [drop every not wanted udp packet]
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP [drop every not wanted tcp packet]

Please, any suggestions about this[my current settings for iptables]?
And why are those 80,443,25,21 ports in stealth mode, if I make the available from any source to
any destination? can it be because I have no mail,http,ftp server installed?

And do I need to make them able to ping my firewall? I mean it's public adress [xxx.xxx.xxx.xxx] ?
[NOTE]
the Firewall will be first like this FIREWALL->MAIL->FTP->HTTP [all seperate computers], If don't
allow anyone to ping my firewall will they be able to ping my other computers [mail,ftp,http], they will
have public ip adresses to].

How safe I am with this firewall?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 08:52 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



try this instead:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

(same for 443, 21, 25)....now they should no longer be stealth ....

then after the forwards (before the postrouting rules) when you are ready to forward the ports to the actual servers do:

iptables -A PREROUTING -t nat -p tcp -d public_ip --dport 80 -j DNAT --to webserver_internal_ip_address:80

(same for 443, 21, 25) (except port 21 to the ftp server, port 25 to the mail server, port 22 (if you want to open it) to a ssh server .... actually, for ssh I personally use a different port than 22 (say 2121) on the public IP, but to port 22 on the server ... then people either have to scan or know that 2121 is the ssh port.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 09:02 AM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Thank you for the advice smile.gif

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 09:38 AM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I've changed these lines :

iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 21 --syn -j ACCEPT

with

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

and www.grc.com still reports these ports as STEALTH [note : I've tried for just once to trust www.grc.com IP probe, and then it showed that SSH is OPEN, and the rest is closed].

[Here are my iptables rules]

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[root@WindowsXP root]# iptables -nvL -t filter
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

6 939 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
444 36722 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0

2 200 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

66 21648 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0

6 288 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x16/0x02

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

15 646 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0

12 480 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED tcp dpt:80
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED tcp dpt:443
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED tcp dpt:21
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED tcp dpt:25

Chain OUTPUT (policy ACCEPT 291 packets, 54300 bytes)
pkts bytes target prot opt in out source destination

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root@WindowsXP root]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 90 packets, 24566 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 5 packets, 370 bytes)
pkts bytes target prot opt in out source destination
5 246 SNAT all -- * eth1 192.168.0.0/24 0.0.0.0/0 to:xxx.xxx.xxx.xxx

Chain OUTPUT (policy ACCEPT 5 packets, 370 bytes)
pkts bytes target prot opt in out source destination

Note : I haven't added those PREROUTING rules, because I don't have any FTP,MAIL,HTTP server yet...

Any idea why are those ports [80,443,21,25] in stealth mode?

I change my rules the following way :
1./etc/init.d/iptables stop
2.source /home/iptables
3.iptables-save > /etc/sysconfig/iptables
4./etc/init.d/iptables start


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 11:30 AM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



It might be that the firewall is accepting the connections, but since there is no place for the packets to go, they are still being dropped by the drop all rule at the bottom .....

try pointing port 80 (via the prerouting command) to an internal httpd server (or even an internal machine without a httpd server with iptables turned off) that is using the firewall as a default gateway and see what grc.com says about it then...


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 11:58 AM
Post #6


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



yehaaaa IT's it's it's CLOSED yes! yes mwhahahahhaha port 80 is now CLOSED.

Thank you for the idea smile.gif


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 12:06 PM
Post #7


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Oh and one more thing,

if someone from the internet tries to connect to my pc from some port, will the system create a log file for that, or will it only drop the user, and no report?

if no report, how can I tell the system to make reports, for example :

yyy.yyy.yyy.yyy connecting to xxx.xxx.xxx.xxx:430 DROPED
or
yyy.yyy.yyy.yyy connecting to xxx.xxx.xxx.xxx:431 SUCCESS

I mean how will I know If someone broke into my system, I mean in time, not after a complete mail server reformat smile.gif sad.gif


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 12:12 PM
Post #8


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



and one more thing about that port forwarding thingie , If I'm correct then I don't really need a public IP for my FTP server right?, or webserver , mailserver.

What do you reccomend, should I use public ip adresses [if I'm correct at the above question] or not for my FTP,MAIL,WEBSERVER ?


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 12:42 PM
Post #9


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



You had a question about the line:

iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

That one would be required if you connected to internet from the firewall itself (like to download updates from off site) ... where the other line that has -i eth1 -o eth0 would be for connections from the inside through the firewall.....

You may not need the -i eth1 -o eth0 if you have the one that has only -i eth1

--------------------------------------------

Instead of using -j DROP in the last 2 lines, ... put this where you define chains:

iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP


Then use:

-j drop-and-log-it

in the last 2 lines instead.

here is information on the log level from the syslog.conf man page:
CODE
The priority is one of the  following  keywords,  in  ascending  order:
      debug,  info, notice, warning, warn (same as warning), err, error (same
      as err), crit, alert, emerg,  panic  (same  as  emerg).   The  keywords
      error,  warn  and  panic are deprecated and should not be used...


so if you have to many details with the level set to info, try notice ... if still to much, try warning, etc.
-------------
The logs will be where ever you have the kern logs going....probably /var/log/messages in whitebox...


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 12:55 PM
Post #10


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Thank you again for you're help.


Is there a way to tell iptalbes to log the dropped somewhere else? I mean like var/log/iptablesdropped

because as you know it, messages , logs other stuff as well, and it's really hard to even go trough a log that was made today.

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 01:17 PM
Post #11


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



sorry for all these question...

if I put :

iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP

instead of :

iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

then on www.grc.com , nothing is in stealth mode...how exactly do I combine these five lines to DROP everything
and log it to....[sorry]


Sorry....


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 01:34 PM
Post #12


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



AHA!

iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j drop-and-log-it
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j drop-and-log-it

like this then?

[sorry, I was reading you're reply to fast, and misunderstood what you were telling me]


Then the above five lines would be correct right?

[going to try it now]

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 01:54 PM
Post #13


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



I've edited the iptables rules, like you said, everything works, ok, only port 80 open , the rest is in stealth mode...

after that since my /var/log was full with all all those infos, I've deleted every file [bad idea?].

And after that rebooted, and went to www.grc.com, to see what happens, well port 80 open, rest is stealth
but nothing is added to the /var/log ....no messages .

Only these files are under /var/log
dmesg
ksyms.0
ksyms.1
wtmp

what to do?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 02:20 PM
Post #14


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



I tried to help someone else do that ... but this is what I found:

http://lists.netfilter.org/pipermail/netfi...uly/013257.html
----------------------------

So, this script should work (I named it get_iptables):

CODE
#/bin/bash
                                                                               
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
                                                                               
SYS_LOG=/var/log/messages
IPTABLES_LOG=/var/log/iptables
TMP_DIR=/tmp
                                                                               
grep -i iptables $SYS_LOG >> $IPTABLES_LOG
grep -iv iptables $SYS_LOG > $TMP_DIR/messages
                                                                               
cp --remove-destination $TMP_DIR/messages $SYS_LOG
rm -rf $TMP_DIR/messages
                                                                               
chmod 600 $IPTABLES_LOG
chmod 600 $SYS_LOG


That script should put all the iptables entries (if you used iptables as the log prefix...) into the location in $IPTABLES_LOG and take all the iptables entries out of the syslog...If you want to do it every hour ... then you could save the file as get_iptables ....

chmod 755 get_iptables

cp get_iptables /etc/cron.hourly


If you are using the logrotate program, then you probably want to rotate the logs ... if you want to do it like /var/log/messages (weekly, saving 4 previous weeks) then add a file named /etc/logrotate.d/iptables that contains this code:

CODE
/var/log/iptables {
       nocompress
       missingok
       create 0600 root root
}


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 02:23 PM
Post #15


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



if there is no log file ... it should get created when needed ... or you can create a blank one with the command:

touch /var/log/messages


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 02:27 PM
Post #16


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



errr smile.gif...syslog was no enabled ... smile.gif [I switched off every service , and left only the most needed ones to start up on the firewall, and I forgot about syslog]


And is there a way than to log iptables drop list to some other file like /var/log/iptables ?
I've looked into the syslog.conf....maybe I could add a seperate line, to log only iptables? can this be done?
how?


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 02:36 PM
Post #17


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



see my script ... 2 posts up in this thread wink.gif


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 02:46 PM
Post #18


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



I see it now, somehow I passed that reply...smile.gif

Thanx


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 02:48 PM
Post #19


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



you're welcome .... no problem laugh.gif


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Feb 28 2004, 02:56 AM
Post #20


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Ok it works good now, I've left the the Whitebox Computer with the Firewall on for tonight, just to see how much will iptables log.
It has loged a few pages ...but here are two sample line, need help in fully understanding :

kernel : iptablesIN=eth1 OUT= MAC=00:30:4f:25:e6:15:00:30:b8:80:49:ee:08:00 SRC=172.182.16.29 DST=217.xxx.xxx.xxx LEN=328 TOS=0x00 PREC=0x00 TTL=115 ID=42954 DF PROTO=TCP SPT=1174 DPT=3127 WINDOW=65535 RES=0x00 SYN URGP=0

kernel : iptablesIN=eth1 OUT= MAC=00:30:4f:25:e6:15:00:30:b8:80:49:ee:08:00 SRC=172.182.16.29
DST=217.xxx.xxx.xxx LEN=328 TOS=0x00 PREC=0x00 TTL=115 ID=42954 DF PROTO=TCP SPT=1174 DPT=3127
WINDOW=65535 RES=0x00 SYN URGP=0

MAC: hardware adress of the connecting device[?]
SRC: The source IP from where the connection was initiated
DST: Destination adress
LEN:
TOS:
PREC:
TTL: [perhaps? time to live?]
ID: [identification?, then for what?]
DF:
PROTO: protocol TCP
SPT:
DPT
WINDOW:
RES:
SYN:
URGP:

And please, can you tell from a line like this , how do I know of wheter he succeded to enter the computer on a port or not?
How can I see if he connected to port 80 [wich is open], or tried messing around with the other ports wich are in stealth mode?



Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

3 Pages V   1 2 3 >
Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 18th October 2017 - 01:40 PM