Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs

[Mick <michaelkintzios@gmail.com>]

On 28 April 2011 06:31, Harry Putnam <reader@newsguy.com> wrote:
> Mick <michaelkintzios@gmail.com> writes:

>> Once you access it via telnet, have a look for any log rules in IP Tables
>> (/sbin/iptables -L -v -n) and perhaps all we need to do is modify those.
>
> Yeah I had a look at the lines containing LOG and of course had no
> idea of what they meant or how to alter them.

OK, let's see what's you got here.  The first logging rule is this:

> Chain BLOCK (0 references)
> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4
> DROP       all  --  0.0.0.0/0            0.0.0.0/0

In the chain called BLOCK you have rule No.1 with target LOG which is
used to ... log:

  all protocols
  no options
  any source
  any destination
  all(?) flags
  level 4 of verbosity

I assume that setting this to level 6 would show ports too.


> The entire iptables is inlined below... maybe you will know how to alter
> them so that ports show up in logs.  That is, only if you are still
> patient enough to continue.... so far, no one has complained about the
> OT thread... but I fear I must be nearing the end of your patient
> willingness to continue, if not the lists willingness to allow my OT
> thread.

No worries!  I'm no iptables guru, but I'm still here!  ;-)


> There only 4 instances of LOG in the tables.  But I wonder if it might
> just be an increase in log level that is required.

Yes, level 6, or level 7 (debug) should give you more than the
verbosity required.  Careful though you don't overdo it and flood your
logs.  To guard against this options like --limit-burst or
--limit-rate will only capture some of the initial similar packets and
quietly drop the rest.


> I wanted to try that out, but was a bit chicken, thinking I'd destroy
> whatever setup there is that invokes the iptable rules.

Yes, that's wise.  You don't want to be inadvertently opening holes in
your firewall ...

This is why you can back up the existing set of rules and then
reinstate it when you need to.  In Gentoo we can see in our
/etc/conf.d/iptables:
==========================================
# /etc/conf.d/iptables

# Location in which iptables initscript will save set rules on
# service shutdown
IPTABLES_SAVE="/var/lib/iptables/rules-save"

# Options to pass to iptables-save and iptables-restore
SAVE_RESTORE_OPTIONS="-c"

# Save state on stopping iptables
SAVE_ON_STOP="yes"
==========================================

Unless you are running some special script at boot up, there's where
all your running rules will be saved:

# /etc/init.d/iptables --verbose save
 * Saving iptables state ...                                            [ ok ]

Then run any commands you want to alter your rule set and if you don't
like it restart/reload your iptables (without saving first) to restore
your previous configuration.

I would therefore recommend that you experiment on your desktop to
achieve the logging level you want and then run the same commands on
the router.  I guess in the router you'll have to reboot it to reset
the rules, or you will need to find the Linksys equivalent command
that will save the running rule set (it may be different to
/etc/init.d/iptables save - most probably something like
/sbin/iptables-save with redirection to a file).

The command you want to run is /sbin/iptables --replace:

-R, --replace chain rulenum rule-specification
              Replace a rule in the selected chain.  If the source and/or des‐
              tination names resolve to multiple addresses, the  command  will
              fail.  Rules are numbered starting at 1.

So, to modify the above rule you would run something like:

/sbin/iptables --replace BLOCK 1 -m limit --limit 15/minute -j LOG
--log-level 6 --log -prefix "Blocked packets"

This will only replace the above number 1 rule in the BLOCK chain.


> Chain DOS (6 references)
> target     prot opt source               destination
> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABL
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0          limit: avg 200/sec b
> RETURN     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8 limit: a
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu
> DROP       all  --  0.0.0.0/0            0.0.0.0/0

To replace the above number 5 rule in the DOS chain you need to follow
my example, but first you have to see more than the options shown
above - I think that your terminal only showed up to a "burst" option
and chopped the rest off?


> Chain SCAN (2 references)
> target     prot opt source               destination
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 10/sec bu
> DROP       all  --  0.0.0.0/0            0.0.0.0/0

Ditto here, you want to replace rule number 1, of the SCAN chain, but
you need to see the complete rule options in the original so that you
can also add them in your command, increasing the level to 6 of
course.  Have a look in man iptables for details of the different
options.

As I said, try it all out in your desktop, see that you are happy with
the result and then run the 3 commands on your router.  If it gives
you the results you want, then save them in the configuration - once
you find where these rules are saved of course.  Perhaps clicking on
the save button of the GUI will achieve the same result after you have
made all these changes - give it a try and see if it works.

HTH.
-- 
Regards,
Mick