Iptables rules problem
Pete Nesbitt
pete at linux1.ca
Fri Oct 15 04:56:43 UTC 2004
On October 14, 2004 06:13 pm, menonrr at jmu.edu wrote:
> 10/14
>
> Hello,
>
> I needed to send my syslog from 192.16.1.10 (firewall/GW) to
> 192.168.1.3, the logserver. The syslogging worked. But since I
> am monitoring all connections going to the internal
> network(eth0) from outside, the log was filled with the syslog
> connections from the gateway to the logserver.
>
> So I gave 2 rules to help me with that:
>
> To log the syslog traffic (just testing syslog)
>
> #$IPTABLES -A OUTPUT -o eth0 -p udp -s 192.168.1.10/32
> --source-port 514 -d 192.168.1.3/32 --destination-port 514 -m
> limit --limit 15/minute --limit-burst 10 -j LOG --log-prefix
> "Syslog traffictoTest: " # Log packets going to 192.168.1.0
>
> (Rule I really need to log inbound traffic)
>
> #$IPTABLES -A OUTPUT -o eth0 -p udp --destination-port ! 514
> -m limit --limit 1/second --limit-burst 10 -j LOG --log-prefix
> "Output packetsToTest: " # Log packets entering testnet except
> udp 514 for syslog
>
> ----------------
> The Problem:
>
> -----------------
> Only the syslog traffic is received. I lost all logging of
> inbound traffic.
>
> I would appreciate some help on this.
>
> Thanks.
> Menon
Hi,
Shouldn't those be INPUT chains? If this is on the FW/GW, then you want to log
the FORWARD chain because a external packet (eg. internet) destined for an
internal network, only goes through the FORWARD chain, not INPUT or OUTPUT.
Is it only udp traffic you want to log?
It looks like you are currently logging (if on the FW/GW) :
a) outbound udp to 192.168.1.3 port 514 (syslog) ..but on eth0??
b) outbound udp originating on the FW/GW (not to port 514)
If my interpretation of the setup is all wrong, please post more details.
--
Pete Nesbitt, rhce
More information about the redhat-list
mailing list