> I was wondering if there was a way I could setup my rules to > log EVERYTHING, THEN process normally. I.e. if it's an > allowed port, log the connection, then pass it through, and > if it is a disallowed port, log the intrusion and then reject > the packet. > > Is this possible? Sure. iptables -P INPUT DROP iptables -A INPUT -i <inet_if> -p tcp --dport 22 -j LOG --log-level info --log-prefix "ipt:ssh " iptables -A INPUT -i <inet_if> -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i <inet_if> -p tcp --dport 80 -j LOG --log-level info --log-prefix "ipt:http " iptables -A INPUT -i <inet_if> -p tcp --dport 80 -j ACCEPT <...More rules like these...> iptables -A INPUT -i <inet_if> -j LOG --log-level info --log-prefix "ipt:DROP! " This will log all packets allowed and then accept them. If There's no match for a packet it gets logged as "ipt:DROP!" and then will be dropped (not rejected) by the default policy. You can also reject the packet by using the following line as the last rule : iptables -A INPUT -i <inet_if> -j REJECT [--reject-with <some-type>] In this case you don't really need the default policy, as no packet will reach it. Rob
