Basic IPTables Question
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Mon Aug 30 23:29:54 UTC 2004
Am Di, den 31.08.2004 schrieb Aly Dharshi um 1:08:
> I am new to the world of IPTables and I have rules such as:
>
> iptables -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state ESTABLISHED
> -j ACCEPT
> iptables -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state ESTABLISHED
> -j LOG --log-prefix "IPTABLES TCP-IN" --log-level 1
The LOG rule must be in front of the other matching rule (here an ACCEPT
rule). Otherwise the the packets are jumping out of the chain to the
target and never reach the LOG.
> Where can I see these logs, I assumed that they would be in /var/log/messages
> but nothing shows.
Depends on the log priority you set and how you configured your syslog.
From "man syslog"
#define KERN_EMERG "<0>" /* system is unusable
*/
#define KERN_ALERT "<1>" /* action must be taken immediately
*/
#define KERN_CRIT "<2>" /* critical conditions
*/
#define KERN_ERR "<3>" /* error conditions
*/
#define KERN_WARNING "<4>" /* warning conditions
*/
#define KERN_NOTICE "<5>" /* normal but significant condition
*/
#define KERN_INFO "<6>" /* informational
*/
#define KERN_DEBUG "<7>" /* debug-level messages
*/
These are the possible 7 log priorities. You above rule has set "1". On
FC2 by default config /etc/syslog.conf these messages are log nowhere.
See "man syslog.conf" on how to setup syslog to log different.
> Secondly on this same box that is running this firewall I have a mail server
> that just sends mail out, if I try to send a message from the box to the local
> smtpd on the box it just sits there, these are all my rules:
>
> -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
> -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state ESTABLISHED -j LOG
> --log-prefix "IPTABLES TCP-IN" --log-level 1
> -A INPUT -d 161.184.244.187 -i eth0 -p udp -m state --state ESTABLISHED -j ACCEPT
> -A INPUT -d 161.184.244.187 -i eth0 -p udp -m state --state ESTABLISHED -j LOG
> --log-prefix "IPTABLES UDP-IN" --log-level 1
> -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state NEW -m tcp --dport
> 22 -j ACCEPT
> -A INPUT -d 161.184.244.187 -i eth0 -p tcp -m state --state NEW -m tcp --dport
> 22 -j LOG --log-prefix "IPTABLES SSH-IN" --log-level 1
> -A OUTPUT -s 161.184.244.187 -o eth0 -p tcp -m state --state NEW,ESTABLISHED -j
> ACCEPT
> -A OUTPUT -s 161.184.244.187 -o eth0 -p tcp -m state --state NEW,ESTABLISHED -j
> LOG --log-prefix "IPTABLES TCP-OUT" --log-level 1
> -A OUTPUT -s 161.184.244.187 -o eth0 -p udp -m state --state NEW,ESTABLISHED -j
> ACCEPT
> -A OUTPUT -s 161.184.244.187 -o eth0 -p udp -m state --state NEW,ESTABLISHED -j
> LOG --log-prefix "IPTABLES UDP-OUT" --log-level 1
>
> What am I doing wrong, should I have a rule to allow incoming 25 on tcp, as I
> have listed the full hostname in the mail settings.
If that are all rules you have and a default policy of DROP, then
nothing goes. You certainly want to read carefully on
http://www.netfilter.org/ or other iptables howtos. If you do not allow
traffic on localhost you have a lot of problems. Disabling mail is then
your smallest. From your "snipplet" above one could judge not much. If
your chain policy is ACCEPT then your rules do nothing.
Sorry, the iptables topic is too big to explain all things which play in
here. Keep in mind that the chains are gone through from first to last,
until a rule matches. Then the jump target is accessed.
> Aly Dharshi
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp
Serendipity 01:18:22 up 22:35, 12 users, 1.99, 0.70, 0.41
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040831/e43edb5f/attachment-0001.sig>
More information about the fedora-list
mailing list