RHEL6–45–
IP TABLES IN LINUX -P7
IP Tables digging deeper,
Other Posts under IPTABLES series,
CONFIGURE IPTABLE LOGGING-2:
Great, our requirement is
fulfilled.
But
still I think that collecting garbage is not wise, also putting all at
/var/log/messages will create annoyance while searching something really
serious.
What
is the solution? Let’s put those logs in
different file.
1.
Do we really need all info about every incident?
2.
One more thing I noticed from above
/var/log/messages O/P, that there is just info about PORT21 access, nothing to
clarify DROP/ACCEPT/REJECT.
First
check what level of logs we require.
LEVEL NAME DESCRIPTION
0
emerg or panic System is
probably about to crash
1
alert Immediate
attention is required
2
crit Critical
hardware or software failure
3
error Reporting of
hardware problems by drivers
4
warning Something bad,
but the problem is not serious
5
notice No problems;
indicates an advisory of some sort.
6
info General
information
7
debug Debugging
From
above levels we can identify our need and provide accordingly,
--log-level 6
[root@rhel6-server ~]# vi /etc/rsyslog.conf
#added
following line at end of RULES section.
kern.warning /var/log/iptables.log
[root@rhel6-server ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@rhel6-server ~]# cat /var/log/iptables.log
Nothing
in O/P. because we applied “warning” only
Change
it to “kern.info” restart rsyslog and check log file.
[root@rhel6-server ~]# cat /var/log/iptables.log
Jul 9
17:14:20 rhel6-server kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jul 9
17:14:21 rhel6-server kernel: IN=eth1 OUT=
MAC=00:0c:29:16:08:65:00:50:56:c0:00:08:08:00 SRC=192.168.135.1
DST=192.168.135.142 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=16823 DF PROTO=TCP
SPT=8072 DPT=22 WINDOW=255 RES=0x00 ACK PSH URGP=0
Jul 9
17:14:22 rhel6-server kernel: IN=eth1 OUT=
MAC=00:0c:29:16:08:65:00:50:56:c0:00:08:08:00 SRC=192.168.135.1
DST=192.168.135.142 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=16827 DF PROTO=TCP
SPT=8072 DPT=22 WINDOW=254 RES=0x00 ACK PSH URGP=0
Jul 9
17:14:23 rhel6-server kernel: IN=eth1 OUT=
MAC=00:0c:29:16:08:65:00:50:56:c0:00:08:08:00 SRC=192.168.135.1
DST=192.168.135.142 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=16829 DF PROTO=TCP
SPT=8072 DPT=22 WINDOW=254 RES=0x00 ACK PSH URGP=0
Well,
move to other issue which is to identify action with log.
#iptables -N ALLOW-LOG
#iptables -A ALLOW-LOG -j LOG --log-prefix "INPUT:ACCEPT:"
--log-level 6
#iptables -A ALLOW-LOG -j ACCEPT
·
-N
to create a new chain, here it is ALLOW-LOG.
·
Append
a rule at ALLOW-LOG chain to LOG with prefix "INPUT:ACCEPT” where log-level
is 6 means info (everything).
·
ACCEPT
whatever coming to this chain.
#iptables -N DENY-LOG
#iptables -A DENY-LOG -j LOG --log-prefix "INPUT:DROP: "
--log-level 6
#iptables -A DENY-LOG -j DROP
·
-N
to create a new chain, here it is DENY-LOG.
·
Append
a rule at DENY-LOG chain to LOG with prefix "INPUT:DROP”
where log-level is 6 means info (everything).
·
DENY
whatever coming to this chain.
Now
our new ALLOW & DENY LOG chains are created,
Chain ALLOW-LOG (0 references)
num target prot opt source destination
1 LOG all
-- anywhere anywhere LOG level info prefix `INPUT:ACCEPT:'
2
ACCEPT all --
anywhere anywhere
Chain DENY-LOG (0 references)
num
target prot opt source destination
1 LOG all
-- anywhere anywhere LOG level info prefix `INPUT:DROP: '
2 DROP all
-- anywhere anywhere
Now
its time to create rules with some twist,
#iptables -A/I <Create
Chain> <Define conditions> -j ALLOW-LOG
#iptables -A/I <Create
Chain> <Define conditions> -j DENY-LOG
Creating a rule to DROP FTP:
#iptables -I INPUT -p tcp -m multiport --dport 20,21 -j DENY-LOG
Creating a rule to ALLOW
HTTP:
#iptables -I INPUT 4 -p tcp --dport 80 -j ALLOW-LOG
Tried
FTP & HTTP from client to this machine,
[root@rhel6-server ~]# grep DPT=21 /var/log/iptables.log
Jul 9
18:15:40 rhel6-server kernel: INPUT:DROP: IN=
OUT=lo SRC=192.168.135.142 DST=192.168.135.142 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=61424 DF PROTO=TCP SPT=33408 DPT=21 WINDOW=32792
RES=0x00 SYN URGP=0
Jul 9
18:15:41 rhel6-server kernel: INPUT:DROP: IN=
OUT=lo SRC=192.168.135.142 DST=192.168.135.142 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=61425 DF PROTO=TCP SPT=33408 DPT=21 WINDOW=32792
RES=0x00 SYN URGP=0
[root@rhel6-server ~]# grep DPT=80 /var/log/iptables.log
Jul 9
18:15:51 rhel6-server kernel: INPUT:ACCEPT:IN=lo
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.135.142
DST=192.168.135.142 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62146 DF PROTO=TCP SPT=53360
DPT=80 WINDOW=32792 RES=0x00 SYN URGP=0
Jul 9
18:15:51 rhel6-server kernel: INPUT:ACCEPT:IN=lo
OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.135.142
DST=192.168.135.142 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=62147 DF PROTO=TCP SPT=53360
DPT=80 WINDOW=257 RES=0x00 ACK URGP=0
I tried to LOG for OUTGOING
connections with same CHAIN and LOL 😊😊….
#iptables -I OUTPUT -p tcp -m multiport --dport 20,21 -j DENY-LOG
#iptables -I OUTPUT 3 -p tcp --dport 80 -j ALLOW-LOG
We have proper logs BUT…BUT,
[root@rhel6-server ~]# grep DPT=21 /var/log/iptables.log |tail -2
Jul 9
18:58:33 rhel6-server kernel: INPUT:DROP: IN= OUT=eth1
SRC=192.168.135.143 DST=192.168.135.157 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=24991 DF PROTO=TCP SPT=42602 DPT=21 WINDOW=14600
RES=0x00 SYN URGP=0
Jul 9
18:58:35 rhel6-server kernel: INPUT:DROP: IN=
OUT=eth1 SRC=192.168.135.143 DST=192.168.135.157 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=24992 DF PROTO=TCP SPT=42602 DPT=21 WINDOW=14600
RES=0x00 SYN URGP=0
[root@rhel6-server ~]# grep DPT=80 /var/log/iptables.log |tail -2
Jul 9
19:01:55 rhel6-server kernel: INPUT:ACCEPT:IN=
OUT=eth1 SRC=192.168.135.143 DST=192.168.135.157 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=60829 DF PROTO=TCP SPT=43468 DPT=80 WINDOW=14600
RES=0x00 SYN URGP=0
Jul 9
19:01:55 rhel6-server kernel: INPUT:ACCEPT:IN= OUT=eth1
SRC=192.168.135.143 DST=192.168.135.157 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=56875 DF PROTO=TCP SPT=43469 DPT=80 WINDOW=14600
RES=0x00 SYN URGP=0
[root@rhel6-server
~]#
What
is solution?
If
we want to log OUPUT communication in same fashion, then we have to create NEW
CHAINS with log prefix OUTPUT:DROP & OUTPUT:ACCEPT
[root@rhel6-server ~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num
target prot opt source destination
1
DENY-LOG tcp --
anywhere anywhere multiport dports ftp-data,ftp
2 LOG all
-- anywhere anywhere limit: avg 1/sec burst 5 LOG level
info
3 DROP all
-- anywhere anywhere state INVALID
4
ALLOW-LOG tcp --
anywhere anywhere tcp dpt:http
5
ACCEPT tcp --
anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
6 ACCEPT icmp --
anywhere anywhere length 1:200
7
ACCEPT all --
anywhere anywhere state NEW,RELATED,ESTABLISHED
8 DROP all
-- anywhere anywhere
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy DROP)
num
target prot opt source destination
1
DENY-LOG tcp --
anywhere anywhere multiport dports ftp-data,ftp
2
ACCEPT all --
anywhere anywhere
3
ALLOW-LOG tcp --
anywhere anywhere tcp dpt:http
4
ACCEPT tcp --
anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
5
ACCEPT icmp -- anywhere anywhere length 1:200
6
ACCEPT all --
anywhere anywhere state NEW,RELATED,ESTABLISHED
Chain ALLOW-LOG (2 references)
num
target prot opt source destination
1 LOG all
-- anywhere anywhere LOG level info prefix
`INPUT:ACCEPT:'
2
ACCEPT all --
anywhere anywhere
Chain DENY-LOG (2 references)
num
target prot opt source destination
1 LOG all
-- anywhere anywhere LOG level info prefix `INPUT:DROP:
'
2 DROP all
-- anywhere anywhere
No comments:
Post a Comment