Wed, 29 Sep 1999 10:22:23 -0700
I'm tweaking my firewall rules today, and wondered if it'd be
appropriate to talk about that sort of operational issue on this
list. Specifically, I'm filtering packets on my outside interface
that come from the RFC1918 private numbers, but I'd like to log them,
too. So I have:
/sbin/iptables --policy INPUT DROP
/sbin/iptables -N spoof
/sbin/iptables -A spoof -m limit --limit 60/h --limit-burst 30/m
/sbin/iptables -A spoof -j LOG --log-prefix 'SPOOF!'
/sbin/iptables -A INPUT \! -i $OUTSIDE -j ACCEPT
/sbin/iptables -A INPUT -i $OUTSIDE -s 192.168.0.0/255.255.0.0 -j spoof
/sbin/iptables -A INPUT -i $OUTSIDE -s 192.168.0.0/255.255.0.0 -j DROP
[...and so on for the other private numbers...]
My intention is to both log the packet (subject to logging limits) and
drop it...I'd put a DROP line at the end of the "spoof" user-defined
chain, but I'm worried that if the packet is over the limit, the chain
will already have returned? Or does limit just set a flag on the
packet that LOG later checks? If it's the latter, then I don't have
to check for the packet twice in the INPUT chain.
Also, is there a quick & easy way to construct packets and send them
to myself from outside? It'd be GREAT if there was a web page
somewhere that you could use to type in packet fields, then click
"send" and it'd inject it.