iptables and config-securitylevel
James Kosin
jkosin at beta.intcomgrp.com
Thu Feb 3 14:16:53 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Harry Putnam wrote:
|I'd like to use the system-config-securitylevel tools to create a
|basic firewall then add a few things. Mainly some extra logging.
|
|`iptables-save' gives me the basic script:
| # Generated by iptables-save v1.2.11 on Wed Feb 2 20:28:24 2005
| *filter
|
|[...]
|
|This appears to be the only outright reject rule
|(Wrapped for mail)
|
| -A RH-Firewall-1-INPUT -j REJECT --reject-with
| icmp-host-prohibited
|
|So I want to add logging to it then use iptables-restore to run it.
|Just can't see easily how to add logging.
|
|This will not load when I run iptables-restore
|
|-A RH-Firewall-1-INPUT -j REJECT --reject-with
| icmp-host-prohibited LOG
|
|(Wrapped for mail but really one line)
|
What you have to do is take a look at the flow of messages. You can't
LOG and REJECT on the same line. What you have to do is place another
line just above this line that looks almost identical only you replace
"-j REJECT --reject-with-icmp-host-prohibited" with "-j LOG" ....
So as the packet flows along down the path, it will get logged....
then continue on and get rejected.
Just do some refesher reading on Google about iptables. You should
get some very good information.
James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCAjJVkNLDmnu1kSkRApS4AJwJQVOTYcWT7+h8YpymHCnpu6yzXwCfYimW
ZW0mtHtCc/4cNVeLxkU3x9s=
=dkMx
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list