View Single Post
  #7  
Old 4th July 2006, 12:33
IPMolester IPMolester is offline
Junior Member
 
Join Date: Jul 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Improve logging

You could improve logging to get a better idea on what IPTables are doing.

So instead of doing a -j REJECT, you could create a dedicated chain for logging the packet before you reject it. Then replace "-j REJECT" by "-j LDROP"

This is from my iptables script, I do drop some packets without logging them since there are simply to many of them.
Quote:
iptables -N LDROP
iptables -A LDROP -p tcp -i eth1 --dport 135 -j DROP
iptables -A LDROP -p tcp -i eth1 --dport 139 -j DROP
iptables -A LDROP -p udp -i eth1 --dport 137 -j DROP
iptables -A LDROP -p tcp -i eth1 --dport 445 -j DROP
iptables -A LDROP --proto tcp -j LOG --log-prefix "TCP Drop "
iptables -A LDROP --proto udp -j LOG --log-prefix "UDP Drop "
iptables -A LDROP --proto icmp -j LOG --log-prefix "ICMP Drop "
iptables -A LDROP --proto gre -j LOG --log-prefix "GRE Drop "
iptables -A LDROP -f -j LOG --log-prefix "FRAG Drop "
iptables -A LDROP -j DROP
Reply With Quote