My LOG rules were first so the packets to be rejected were logged
first. Is the man page's LOG section wrong? That's where I got the
"duplicate rule and change REJECT to LOG" hack.
My goal is to log all rejected packets except multicast ones, as those
aren't potential attacks (at least within my company's firewall,
anyway).
Tom
On Mon, 2003-08-11 at 15:22, jdow wrote:
> Wrong order. Try this one:
> # reject everything else
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j LOG
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j LOG
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j LOG
>
> {^_^}
> ----- Original Message -----
> From: "Tom Ball" <Tom.Ball@xxxxxxx>
>
>
> > I added logging to the end of my iptables config, but now need to stop
> > logging all the multicast messages being broadcast at work (the point
> > was to notice real security issues). The following rule is accepted,
> > but doesn't suppress anything:
> >
> > # ignore multicast broadcasts
> > -A RH-Lokkit-0-50-INPUT -p udp -m pkttype --pkt-type multicast --dport
> > 0:1023 -j REJECT
> > # reject everything else
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j LOG
> > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j LOG
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j LOG
> > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> >
> > Does "--pkt-type multicast" work? Is there an alternative way to ignore
> > IPs with destinations of *.*.*.255?
>
--
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
