how to log dropped packet
Florian Boelstler
euphoria at arcor.de
Tue Sep 28 13:50:26 CEST 2004
What I usually do is:
---------------------------------------------------------------------
#!/bin/sh
# Some handy variables
IPTABLES=`which iptables`
d_HTTP="http,https"
p_high="1024:65535"
EXT="wlan0"
# DROP & LOG chain
$IPTABLES -N DROPnLOG
$IPTABLES -A DROPnLOG -p ICMP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-ICMP "
$IPTABLES -A DROPnLOG -p TCP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-TCP "
$IPTABLES -A DROPnLOG -p UDP -j ULOG --ulog-nlgroup 1 --ulog-prefix
"DROP-UDP "
# Default rule for established connections
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Put several rules to allow outgoing traffic here. E.g. for web sites:
$IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP --sport $p_high
-m multiport --destination-ports $d_HTTP -j ACCEPT
# Wipe anything not matching any of the rulesets above
$IPTABLES -A INPUT -j DROPnLOG
$IPTABLES -A FORWARD -j DROPnLOG
$IPTABLES -A OUTPUT -j DROPnLOG
---------------------------------------------------------------------
The script above requires that you're kernel is aware of the ULOG target.
This allows to log iptable's output to another destination (i.e. file)
than syslog.
You will need an appropriate ULOG configuration file.
The output will look like this:
Jan 1 01:00:00 beamstation DROP-UDP IN= OUT=wlan0 MAC=
SRC=192.168.2.100 DST=192.168.2.255 LEN=268 TOS=00 PREC=0x00 TTL=64 ID=8
DF PROTO=UDP SPT=138 DPT=138 LEN=248
Good luck,
Florian
More information about the netfilter
mailing list