From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QFTm6-0007IC-CH for garchives@archives.gentoo.org; Thu, 28 Apr 2011 16:09:07 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D462F1C011; Thu, 28 Apr 2011 16:07:33 +0000 (UTC) Received: from mail-fx0-f53.google.com (mail-fx0-f53.google.com [209.85.161.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 6BF211C011 for ; Thu, 28 Apr 2011 16:07:33 +0000 (UTC) Received: by fxm8 with SMTP id 8so2529413fxm.40 for ; Thu, 28 Apr 2011 09:07:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=M6+GZoNe1qcyl2b/yPdH3cDFOrAgQW4eDwgREZKogD0=; b=SgAQ9bVQna4HZm4Z3QvlmvqRZYUFJxZeJC8e4o0zAIgwILapnmlOSgaqR6vfEPxngB G62PjKp9Ipl/jKoNwaUH7h4xtBCfAMOt9iOq9YrouE+yM59mclT4sAsRtr7IUxrxBAIQ WrAr081O9GKtXeVvsKpB0dY9ng7M2WK6dmOgo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=gngBEiYNSafrK2k+gcr1MhtTx0D92uGaYrFaa5l7nEsooS/GzCvboWjeNvXdu29+Da yGCmJaINxu92+Gm6k0oLxISZOoLK2ulNXGFwUlncFv4I2aYIQ3odq3ONfPtsJRHhV7OX +06mhYdMxUDWtzGUQjOBCv3BzbGLdc2W6PeEg= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.223.6.198 with SMTP id a6mr1130439faa.130.1304006852550; Thu, 28 Apr 2011 09:07:32 -0700 (PDT) Received: by 10.223.69.132 with HTTP; Thu, 28 Apr 2011 09:07:32 -0700 (PDT) In-Reply-To: <87zknbaqmx.fsf@newsguy.com> References: <878vv69asl.fsf@newsguy.com> <201104251945.16273.michaelkintzios@gmail.com> <87liywd4xx.fsf@newsguy.com> <201104270723.44105.michaelkintzios@gmail.com> <87zknbaqmx.fsf@newsguy.com> Date: Thu, 28 Apr 2011 17:07:32 +0100 Message-ID: Subject: Re: [gentoo-user] Re: [OT router advice] a router capable of detailed logs From: Mick To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 7567c399acc7b60357bb03b75fe03a56 On 28 April 2011 06:31, Harry Putnam wrote: > Mick writes: >> Once you access it via telnet, have a look for any log rules in IP Table= s >> (/sbin/iptables -L -v -n) and perhaps all we need to do is modify those. > > Yeah I had a look at the lines containing LOG and of course had no > idea of what they meant or how to alter them. OK, let's see what's you got here. The first logging rule is this: > Chain BLOCK (0 references) > target prot opt source destination > LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 l= evel 4 > DROP all -- 0.0.0.0/0 0.0.0.0/0 In the chain called BLOCK you have rule No.1 with target LOG which is used to ... log: all protocols no options any source any destination all(?) flags level 4 of verbosity I assume that setting this to level 6 would show ports too. > The entire iptables is inlined below... maybe you will know how to alter > them so that ports show up in logs. =C2=A0That is, only if you are still > patient enough to continue.... so far, no one has complained about the > OT thread... but I fear I must be nearing the end of your patient > willingness to continue, if not the lists willingness to allow my OT > thread. No worries! I'm no iptables guru, but I'm still here! ;-) > There only 4 instances of LOG in the tables. =C2=A0But I wonder if it mig= ht > just be an increase in log level that is required. Yes, level 6, or level 7 (debug) should give you more than the verbosity required. Careful though you don't overdo it and flood your logs. To guard against this options like --limit-burst or --limit-rate will only capture some of the initial similar packets and quietly drop the rest. > I wanted to try that out, but was a bit chicken, thinking I'd destroy > whatever setup there is that invokes the iptable rules. Yes, that's wise. You don't want to be inadvertently opening holes in your firewall ... This is why you can back up the existing set of rules and then reinstate it when you need to. In Gentoo we can see in our /etc/conf.d/iptables: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # /etc/conf.d/iptables # Location in which iptables initscript will save set rules on # service shutdown IPTABLES_SAVE=3D"/var/lib/iptables/rules-save" # Options to pass to iptables-save and iptables-restore SAVE_RESTORE_OPTIONS=3D"-c" # Save state on stopping iptables SAVE_ON_STOP=3D"yes" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Unless you are running some special script at boot up, there's where all your running rules will be saved: # /etc/init.d/iptables --verbose save * Saving iptables state ... [ o= k ] Then run any commands you want to alter your rule set and if you don't like it restart/reload your iptables (without saving first) to restore your previous configuration. I would therefore recommend that you experiment on your desktop to achieve the logging level you want and then run the same commands on the router. I guess in the router you'll have to reboot it to reset the rules, or you will need to find the Linksys equivalent command that will save the running rule set (it may be different to /etc/init.d/iptables save - most probably something like /sbin/iptables-save with redirection to a file). The command you want to run is /sbin/iptables --replace: -R, --replace chain rulenum rule-specification Replace a rule in the selected chain. If the source and/or d= es=E2=80=90 tination names resolve to multiple addresses, the command w= ill fail. Rules are numbered starting at 1. So, to modify the above rule you would run something like: /sbin/iptables --replace BLOCK 1 -m limit --limit 15/minute -j LOG --log-level 6 --log -prefix "Blocked packets" This will only replace the above number 1 rule in the BLOCK chain. > Chain DOS (6 references) > target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 destination > RETURN =C2=A0 =C2=A0 tcp =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0limit: avg = 200/sec b > RETURN =C2=A0 =C2=A0 udp =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0state RELAT= ED,ESTABL > RETURN =C2=A0 =C2=A0 udp =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0limit: avg = 200/sec b > RETURN =C2=A0 =C2=A0 icmp -- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0icmp type 8 limit:= a > LOG =C2=A0 =C2=A0 =C2=A0 =C2=A0all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lim= it: avg 10/sec bu > DROP =C2=A0 =C2=A0 =C2=A0 all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 To replace the above number 5 rule in the DOS chain you need to follow my example, but first you have to see more than the options shown above - I think that your terminal only showed up to a "burst" option and chopped the rest off? > Chain SCAN (2 references) > target =C2=A0 =C2=A0 prot opt source =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 destination > LOG =C2=A0 =C2=A0 =C2=A0 =C2=A0all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lim= it: avg 10/sec bu > DROP =C2=A0 =C2=A0 =C2=A0 all =C2=A0-- =C2=A00.0.0.0/0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A00.0.0.0/0 Ditto here, you want to replace rule number 1, of the SCAN chain, but you need to see the complete rule options in the original so that you can also add them in your command, increasing the level to 6 of course. Have a look in man iptables for details of the different options. As I said, try it all out in your desktop, see that you are happy with the result and then run the 3 commands on your router. If it gives you the results you want, then save them in the configuration - once you find where these rules are saved of course. Perhaps clicking on the save button of the GUI will achieve the same result after you have made all these changes - give it a try and see if it works. HTH. --=20 Regards, Mick