Re: [logs] understanding IPTABLES logs

From: M Taylor (mctaylorat_private)
Date: Wed Aug 13 2003 - 05:19:44 PDT

  • Next message: Christian Julien: "[logs] Re: understanding IPTABLES logs"

    Taylor Robison wrote:
    > 
    > I'm afraid it is not obvious to me WHY a log message is significant. 
    
    You can use the --log-prefix to prefix a brief desciption or rule-id.
     
    > was the packet dropped, accepted or denied?
    > what rule was violated?
    > what about the connection cause the rule to be violated?
    
    Here's a sample chain  of logging rules that use --log-prefix (based upon 
    one or more examples/HOWTOs/docs about netfilter/iptables):
    
    iptables -N scan
    iptables -A scan -p tcp --tcp-flags ALL FIN,SYN -m limit \
      --limit 10/minute -j LOG --log-prefix 'SYNFINSCAN '
    iptables -A scan -p tcp --tcp-flags ALL ALL -m limit --limit 10/minute \
      -j LOG --log-prefix 'XMASSCAN '
    iptables -A scan -p tcp --tcp-flags FIN,ACK FIN -m limit \
      --limit 10/minute -j LOG --log-prefix 'FINSCAN '
    iptables -A scan -p tcp --tcp-flags ALL NONE -m limit --limit 10/minute \
      -j LOG --log-prefix 'NULLSCAN '
    iptables -A scan -p icmp -f -m limit --limit 10/minute -j LOG \
      --log-prefix 'ICMPFRAG '
    
    > I suppose there is an M out there I should be RTFing....perhaps someone
    > would be kind enough to point me in the right direction?
    
    http://www.netfilter.org/documentation/ is a sensible starting point. 
    There are tons of examples and additional informational also available,
    google for those.
    
    
    -- 
    M Taylor
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 05:56:06 PDT