Logging iptables

James Kosin jkosin at beta.intcomgrp.com
Wed Dec 7 20:54:48 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
 
Gregory P. Ennis wrote:

<< -- SNIP -- >>

>Mike,
>
>Thanks for the response. Here are my iptables entries
>
>:LOG_9100 - [0:0]
>-A FORWARD -s ###.###.###.### -p tcp --sport 9100 -j LOG_9100
>
>where ###.###.###.### is the ip address I am using.
>
>-A LOG_9100 -j LOG --log-prefix "[IPTABLES 9100 DROP] : \
> --log-tcp-options --log-ip-options
>-A LOG_9100 -j REJECT --reject-with icmp-port-unreachable
>
>
Greg,

(1)  This rule needs to be before any -j ACCEPT rules for the chain.
The problem may be just that.... or..
(2)  The IP needs to be on a machine you are doing the FORWARDING for
and not your local IP.  The local IP is not technically forwarded,
since it is a direct connection.
(3)  Be sure you are not using NAT or any other services related.  NAT
and PREROUTING rules take effect before the filter rules in the chain.

Probably, the best place for the rule would be the INPUT or OUTPUT
chain and not the FORWARD chain.

Good Luck,
James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFDl0wYkNLDmnu1kSkRA9CNAJ4hh19dQppj6BaGFeDRhPOlxGPuVACeKcbS
mI5aNn0y9xm/8Icoaqpw1cc=
=/yMH
-----END PGP SIGNATURE-----

-- 
Scanned by ClamAV - http://www.clamav.net




More information about the fedora-list mailing list