Hi folks,
I'm a newbie to netfilter and have a short question: Where can I see which packages has been DROPPED and which not? I remember that I once read something about /proc/net/??, but I can't find there what I'm searching for. Can u help please?
You need to use LOG target. LOG target is non terminating (Netfilter will continue matching rules from the chain).
Exactly where and how you will use it, depends on how you have configured your firewall. As rule of thumb, for each DROP target put exactly the same rule with LOG target just before it. For each chain with DROP policy put log-all rule at the very end of the chain.
So you would have something like this wherever you have DROP target:
- A INPUT --dport 80 -j LOG --prefix "kill http " - A INPUT --dport 80 -j DROP
And something like this wherever you set default policy to DROP, as the *last* rule in the chain (and make sure you *never* insert any ACCEPT rules after it, for the obvious reason):
- A INPUT -j LOG --prefix "dropped in input "
Change the prefixes to whatever you want to appear in your log files. This will be logged by the kernel, so it will apear wherever your kernel logs go.
Note that with rules like this, any Joe Cracker can quickly fill your disk, just by bombarding you with packets that your firewall is dropping (and logging).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
