On Friday 14 February 2003 01:49 am, Jean-Christian Imbeault wrote: > I've written my first set of iptable rules but they're still buggy =) > I keep locking myself out. So I'm trying to enable logging to see why > I can't SSH to my box but I can't seem to get logging to work. > > I have set the default policy to DROP and added only ACCEPT rules, so > nothing gets DROPPED or REJECTED before making to the last (logging) > rule. The last rule should LOG anything that didn't match ... but I > can't find any iptables entries in /var/log/messages ... > > Two questions: > > #1 why isn't logging working Check /etc/syslog.conf, which controls what messages are logged, and where. You should probably try inserting something like this: > #2 What is wrong with my rules :) > > > My network setup is like this: > > > LAN ---- FIREWALL ---- WAN > > > JC LINUX > > I don't control the Firewall. But it's settings are fine I think since > I can connect from JC <-> LINUX just fine. But if I try my iptable > rules I lock myself out. > > The services I'd like to allow access to are: > > HTTP, HTTPS, SMTP, DNS from anywhere and > SSH from JC --> LINUX > > My rules are: > > IPT="/usr/local/sbin/iptables" > LINUX="x.x.x.x" > JC="x.x.x.x" > > for i in filter > do > $IPT -t $i -F > $IPT -t $i -X > done > > $IPT --policy INPUT DROP > $IPT --policy OUTPUT DROP > $IPT --policy FORWARD DROP > > # Loopback accepts everything > $IPT -A INPUT -i lo -j ACCEPT > $IPT -A OUTPUT -o lo -j ACCEPT > > # Allow all other icmp > $IPT -A INPUT -p icmp -j ACCEPT > > # Allow previously established connections > $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # HTTP, HTTPS > $IPT -A INPUT -p TCP -s 0/0 -i eth0 -d $LINUX --dport 80 -j ACCEPT > $IPT -A INPUT -p TCP -s 0/0 -i eth0 -d $LINUX --dport 443 -j ACCEPT > > # SSH FROM JC --> LINUX > $IPT -A INPUT -p TCP -s $JC -i eth0 -d $LINUX --dport 22 -j ACCEPT > > # SMTP > $IPT -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s > --limit-burst 10 -j ACCEPT > $IPT -A INPUT -p tcp --dport 25 -j ACCEPT > > # DNS > $IPT -A INPUT -p tcp --dport 53 -j ACCEPT > $IPT -A INPUT -p udp --dport 53 -j ACCEPT > > # LOG anything that didn't get accepted ... > $IPT -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG > --log-level debug --log-prefix "Firewalled packet:" > > My /etc/syslog.conf has this entry to send all debug messages to > /var/log/firewall: > > kern.debug /var/log/firewall > > Yet even when I telnet to my machine I don't see any iptables related > messages ... > > What did I miss to get logging enabled? (and if anyone can spot why I > can't SSH to my box from my PC (JC) please let me know ;) > > Thanks, > > Jc
