Re: Activate firewall logging

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 02/18/02


From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Mon, 18 Feb 2002 07:17:14 +0100

Peter wrote:
>
> Any hints on what can be done to set up logging would be much
> appreciated. Should I uninstall / deactivate ipchains and start up
> iptables? (and how do you do that)

That would be a good idea. You can uninstall ipchains by typing
"rpm -e ipchains" or you can just disable it by typing
"chkconfig ipchains off".

It might also be a good idea to add this line to
/etc/sysconfig/network:
export FIREWALL_MODS=no

You then need to create a /etc/sysconfig/iptables file. Here
comes some of my rules which could be good for inspiration:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:LOGACCEPT - [0:0]
:SLOWLOGREJECT - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j LOGDROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j LOGDROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j LOGACCEPT
-A INPUT -m limit --limit 79/minute --limit-burst 4 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --sport 1024:65535 --dport 1024:65535 -j SLOWLOGREJECT
-A INPUT -p tcp -j SLOWLOGREJECT
-A INPUT -j LOGDROP

-A OUTPUT -d 192.168.0.0/255.255.0.0 -m owner ! --uid-owner root -j LOGREJECT

-A LOGDROP -m limit --limit 1/minute --limit-burst 42 -j LOG --log-prefix "iptables DROP: "
-A LOGDROP -j DROP
-A LOGREJECT -m limit --limit 1/minute --limit-burst 42 -j LOG --log-prefix "iptables REJECT: "
-A LOGREJECT -p tcp -j REJECT --reject-with tcp-reset
-A LOGREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
-A LOGREJECT -j REJECT --reject-with icmp-host-unreachable
-A SLOWLOGREJECT -m limit --limit 15/minute --limit-burst 10 -j LOGREJECT
-A SLOWLOGREJECT -j LOGDROP
-A LOGACCEPT -j LOG --log-prefix "iptables ACCEPT: "
-A LOGACCEPT -j ACCEPT

COMMIT

BTW you might want to upgrade your kernel. I think 2.4.2-2
suffers from the ptrace bug which allows any local user to
get root access. You might also want to upgrade the userspace
iptables utilities, the version in 2.4.2-2 has a bug with
the parameter to --log-prefix.

-- 
Kasper Dupont
For sending spam use mailto:razor-report@daimi.au.dk