on 06/06/2010 12:43 AM Curby wrote the following: > The problem may be that you're not sure what you should be logging. > The rules are probably working as expected, but the rules as written > are bound to be verbose. > Why do you have these rules? In short, why is it important to you to > log everything that's not going through the loopback interface? > Depending on where these rules exist in your chains, they may even log > packets that you will accept, in which case the "DROP" log prefix is > incorrect. > > I think it may be time to go back to the drawing board. Consider > carefully what you want to log, and then develop new rules to only log > those packets. The full ruleset may help us help you further. > > --Mike Here is the full ruleset: # Generated by iptables-save v1.4.6 on Sun Jun 6 01:00:20 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT ! -s 192.168.0.0/24 -i bond0 -j LOG --log-prefix "SPOOFED PKT " -A INPUT ! -s 192.168.0.0/24 -i bond0 -j DROP -A INPUT -i bond0 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i bond0 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i bond0 -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT -A INPUT -i bond0 -p tcp -m tcp --dport 67 -m state --state NEW -j ACCEPT -A INPUT -i bond0 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT -A INPUT -i bond0 -p tcp -m tcp --dport 123 -m state --state NEW -j ACCEPT -A INPUT -s 192.168.0.0/24 -i bond0 -p tcp -m tcp --dport 8888 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -s 192.168.0.0/24 -i bond0 -p tcp -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -s 192.168.0.0/24 -i bond0 -p tcp -m tcp --dport 3551 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/sec -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/sec -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 10/sec -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options -A INPUT -i lo -j ACCEPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options -A FORWARD -m state --state INVALID -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD ! -s 192.168.0.0/24 -i bond0 -j LOG --log-prefix "SPOOFED PKT " -A FORWARD ! -s 192.168.0.0/24 -i bond0 -j DROP -A FORWARD -s 192.168.0.0/24 -i bond0 -m state --state NEW -j ACCEPT -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options -A OUTPUT -m state --state INVALID -j DROP -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options -A OUTPUT -o lo -j ACCEPT COMMIT # Completed on Sun Jun 6 01:00:20 2010 # Generated by iptables-save v1.4.6 on Sun Jun 6 01:00:20 2010 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i bond0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE COMMIT # Completed on Sun Jun 6 01:00:20 2010 # Generated by iptables-save v1.4.6 on Sun Jun 6 01:00:20 2010 *mangle :PREROUTING ACCEPT [5075158:1310503988] :INPUT ACCEPT [952099:738925140] :FORWARD ACCEPT [4112581:569194430] :OUTPUT ACCEPT [932258:673687313] :POSTROUTING ACCEPT [5042726:1242782393] -A PREROUTING -p icmp -j MARK --set-xmark 0x1/0xffffffff -A PREROUTING -p icmp -j RETURN COMMIT # Completed on Sun Jun 6 01:00:20 2010 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
