iptables syslog

Discussion in 'Installation/Configuration' started by stefanr, Dec 31, 2005.

  1. stefanr

    stefanr New Member HowtoForge Supporter

    Hello,

    my installation of the ispconfig work fine, and my welcome messages works now also, thank's on falko.
    I have another question of iptables the firewall of the ipconfig works fine (think so) but i got no log information in any log files in /var/log/.

    I have no ideas how i change this problem. How can i start the firewall of the ispconfig tool that the message from the firewall logs to /var/log/firewall.log?

    my iptables -L on the consol list this:

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere 127.0.0.0/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level info
    DROP all -- anywhere anywhere
    LOG all -- anywhere anywhere LOG level notice
    LOG all -- anywhere anywhere LOG level debug
    LOG all -- anywhere anywhere limit: avg 5/min burst 3 LOG level debug

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (16 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (3 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:www
    PAROLE tcp -- anywhere anywhere tcp dpt:81
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:10000
    PAROLE tcp -- anywhere anywhere tcp dpt:imap2
    PAROLE tcp -- anywhere anywhere tcp dpt:imaps
    PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
    PAROLE tcp -- anywhere anywhere tcp dpt:socks
    PAROLE tcp -- anywhere anywhere tcp dpt:14534
    PAROLE tcp -- anywhere anywhere tcp dpt:8767
    PAROLE tcp -- anywhere anywhere tcp dpt:1452
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (3 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere


    my /etc/syslog.conf

    # /etc/syslog.conf Configuration file for syslogd.
    #
    # For more information see syslog.conf(5)
    # manpage.

    #
    # First some standard logfiles. Log by facility.
    #

    auth,authpriv.* /var/log/auth.log
    *.*;auth,authpriv.none -/var/log/syslog
    #cron.* /var/log/cron.log
    daemon.* -/var/log/daemon.log
    #kern.* -/var/log/kern.log
    lpr.* -/var/log/lpr.log
    mail.* -/var/log/mail.log
    user.* -/var/log/user.log
    uucp.* /var/log/uucp.log
    kern.notice;kern.!warn /var/log/firewall.log
    kern.warn -/var/log/kern.log


    #
    # Logging for the mail system. Split it up so that
    # it is easy to write scripts to parse these files.
    #
    mail.info -/var/log/mail.info
    mail.warn -/var/log/mail.warn
    mail.err /var/log/mail.err

    # Logging for INN news system
    #
    news.crit /var/log/news/news.crit
    news.err /var/log/news/news.err
    news.notice -/var/log/news/news.notice

    I anyone a idea what can i do to log the firewall message in /var/log/firewall.log

    i wish anyone a happy new year.

    STEFAN
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You can enable logging in the bastille firewall configuration. You must chnage the file in:

    /etc/Bastille/bastille-firewall.cfg

    and the master template:

    /root/ispconfig/isp/conf/bastille-firewall.cfg.master

    Then restart the firewall:

    /etc/init.d/bastille-firewall restart
     
  3. stefanr

    stefanr New Member HowtoForge Supporter

    Thanks vor your fast replay..
    my file
    /etc/Bastille/bastille-firewall.cfg

    schnip
    # 2) services for which we want to log access attempts to syslog (all systems)
    # Note this only audits connection attempts from public interfaces
    #
    # Also see item 12, LOG_FAILURES
    #
    #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
    # anyone probing for BackOrifice?
    #UDP_AUDIT_SERVICES="31337"
    # how about ICMP?
    #ICMP_AUDIT_TYPES=""
    #ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
    #
    # To enable auditing, you must have syslog configured to log "kern"
    # messages of "info" level; typically you'd do this with a line in
    # syslog.conf like
    # kern.info /var/log/messages
    # though the Bastille port monitor will normally want these messages
    # logged to a named pipe instead, and the Bastille script normally
    # configures syslog for "kern.*" which catches these messages
    #
    # Please make sure variable assignments are on single lines; do NOT
    # use the "\" continuation character (so Bastille can change the
    # values if it is run more than once)
    #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
    #UDP_AUDIT_SERVICES="31337"
    #ICMP_AUDIT_TYPES=""

    and this entry

    IP_LOG_LEVEL=6 # iptables/netfilter default

    schnap


    i understood this as the files ok and the logging must go, but no entry will come in anyfiles aof /var/log/

    my file /etc/sysconfig i have also changed in

    # /etc/syslog.conf Configuration file for syslogd.
    #
    # For more information see syslog.conf(5)
    # manpage.

    #
    # First some standard logfiles. Log by facility.
    #

    auth,authpriv.* /var/log/auth.log
    *.*;auth,authpriv.none -/var/log/syslog
    #cron.* /var/log/cron.log
    daemon.* -/var/log/daemon.log
    #kern.* -/var/log/kern.log
    lpr.* -/var/log/lpr.log
    mail.* -/var/log/mail.log
    user.* -/var/log/user.log
    uucp.* /var/log/uucp.log
    kern.notice;kern.!warn;kern.info /var/log/firewall.log
    kern.warn -/var/log/kern.log


    what can also goes wrong?

    after all i changes i restart /etc/init.d/sysklogd restart, and the firewall

    what can goes wrong?

    STEFAN
     
    Last edited: Dec 31, 2005
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    I guess you have to uncomment e.g. this line in the bastille configuration:

    TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"

    to log connection attempts to the listed services.

    Or you set the line:

    LOG_FAILURES="N"

    to:

    LOG_FAILURES="Y"

    if you want to log connection failures.
     
  5. stefanr

    stefanr New Member HowtoForge Supporter


    Hey till very kind of you, but i have change the things that you say and i can't find any logs :-( what do i wrong?
    I've open iptables -A INPUT -j LOG --log-level notice,
    can this the problem i think before that the firewall is only a iptables commant..
     
  6. FeraTechInc

    FeraTechInc ISPConfig Developer ISPConfig Developer

    Uhh... well I did all this. Now... where is the log file?

    I can't find anything in /var/log There is not iptables or bastille log file?

    Can somebody help me out?
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What's in /etc/Bastille/bastille-firewall.cfg?
    Have you tried to restart the firewall?
     
  8. wpwood3

    wpwood3 New Member

    Answer to an old question

    I know this is an old thread but I recently enabled logging in Bastille and finally found where it logs.

    The log entries appear in /var/log/messages

    I made some iptables rule changes and wanted to verify they were working so I edited /etc/Bastille/bastille-firewall.cfg and changed LOG_FAILURES to "Y" and then restarted Bastille with /etc/init.d/bastille-firewall restart

    Since I only plan to allow logging temporarily, I did not edit /root/ispconfig/isp/conf/bastille-firewall.cfg.master. As till mentioned, you have to edit this file, too if you don't want your changes to be overwritten when you reboot.

    A word of warning...
    Turning this on can generate LOTS of log entries in a very short period of time. I would not advise setting LOG_FAILURES="Y" and forgetting about it!
     
    Last edited: Jan 29, 2008

Share This Page