On Mon, Jul 21, 2003 at 09:44:49AM -0300, Juliano Murlick wrote: > > Maybe I did my question wrong ... Sorry. > I wanna LOG all packet dropped, but I don?t wanna do one rule for each port > or kind of packet, my rule's script is like this: > > ########################################################## > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > iptables -P FORWARD -p tcp -s $REDELOCAL -d 200.228.185.225 --dport 25 - > ACCEPT > iptables -P FORWARD -p tcp -s $REDELOCAL -d 200.228.185.225 --dport 110 - > ACCEPT Add this here: iptables -A FORWARD -j LOG --log-level alert Also the two lines above must be "-A" and not "-P". So it becomes: ------------------------------ iptables -P FORWARD DROP iptables -A FORWARD -p tcp -s $REDELOCAL -d 200.228.185.225 --dport 25 -j ACCEPT iptables -A FORWARD -p tcp -s $REDELOCAL -d 200.228.185.225 --dport 110 -j ACCEPT iptables -A FORWARD -j LOG --log-level alert ------------------------------ This will only log the unwanted traffic in the FORWARD chain. If you want other chains to log add something like this to the end of the chains. Ramin > ########################################################## > > Now, i wanna LOG all dropped packets, everyone that try to access other ip > address or port must be log, how can i get it ? > > > ATs, > Juliano Murlick > SICREDI Serviços - Tecnologia > jmurlick@xxxxxxxxxxxxxx > (51) 3358-4977 / (51) 9951-3888 > > > > -----Original Message----- > From: Ramin Dousti [mailto:ramin@xxxxxxxxxxxxxxxxxxxx] > Sent: sábado, 19 de julho de 2003 19:06 > To: Juliano Murlick > Cc: netfilter@xxxxxxxxxxxxxxxxxxx > > On Sat, Jul 19, 2003 at 02:38:01PM -0300, Juliano Murlick wrote: > > > Hello ALL, > > I need log all packet dropped on my firewall, how can i get it ? I > > know how log all that i accept, like this: > > If I understand your question correctly: > If you want to log the dropped packets only then you must allow the ones you > want in the beginning of your rule set and the very last rule (right before > the default DROP policy) must be LOG. > > Ramin > > > > > iptables -A FORWARD -p tcp -s $REDELOCAL --sport 1024:65535 -d $SSHSRV > > --sport 22 -j LOG iptables -A FORWARD -p tcp -s $REDELOCAL --sport > > 1024:65535 -d $SSHSRV --sport 22 -j ACCEPT > > > > i will LOG all packet from ssh connection, but i don't to log all > > packet dropped, my default policy is DROP: > > > > iptables -P FORWARD DROP > > > > please, if anyone knows it ? tell me .... > > > > > > Thanks in advance! > > > > Att, > > Juliano Murlick > > > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.500 / Virus Database: 298 - Release Date: 10/7/2003 > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.500 / Virus Database: 298 - Release Date: 10/7/2003 > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.500 / Virus Database: 298 - Release Date: 10/7/2003 > >
