On Wednesday 19 July 2017 at 10:40:36, Walter H. wrote:
> On Wed, July 19, 2017 11:31, Antony Stone wrote:
> > On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:
> >> I added these rules, and will see which packets are caught
> >>
> >> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]:
> >> " --log-level 7
> >> -A FORWARD -m state --state INVALID -j LOG --log-prefix
> >> "IP[FWD(invalid)]: " --log-level 7
> >> -A OUTPUT -m state --state INVALID -j LOG --log-prefix
> >> "IP[OUT(invalid)]: " --log-level 7
> >>
> >> and not by these after:
> >>
> >> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
> >> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
> >> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
> >
> > Note that any packets caught by the first rules will *also* be caught by
> > the second rules (since there is no DROP in between, and the second rule
> > does not exclude INVALID),
>
> how would I exclude INVALID in the second rules?
If you really want to:
-A INPUT -m state ! --state INVALID -j LOG --log-prefix....
Depending on how you enter this rule, you may need to shell-escape the ! so
that it doesn't get interpreted by bash etc.
The alternative (IMHO uglier) way of doing it would be:
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix....
Quoting from the iptables man page:
" state
This module, when combined with connection tracking, allows access to
the connection tracking state for this packet.
[!] --state state
Where state is a comma separated list of the connection states
to match. Possible states are INVALID meaning that the packet could not be
identified for some reason which includes running out of memory and ICMP errors
which don't correspond to any known connection, ESTABLISHED meaning that the
packet is associated with a connection which has seen packets in both
directions, NEW meaning that the packet has started a new connection, or
otherwise associated with a connection which has not seen packets in both
directions, and RELATED meaning that the packet is starting a new connection,
but is associated with an existing connection, such as an FTP data transfer,
or an ICMP error. UNTRACKED meaning that the packet is not tracked at all,
which happens if you use the NOTRACK target in raw table."
Antony.
--
This email was created using 100% recycled electrons.
Please reply to the list;
please *don't* CC me.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
