More info: IPtables rule problem: ATT- Pete Nesbitt :- Pls disregard earlier one-same subject

Sat Oct 16 03:00:17 UTC 2004

On October 15, 2004 08:07 am, menonrr at jmu.edu wrote:
> 10/15
>
> Hello Pete Nesbitt,
>
> Thank You for the response. I am sorry that I did not include
> the problem-details from the eariler mail for reference. Hence
> please disregard the earlier mail with the same subject.
>
> Clarification:
>
> The gateway's external interface is 'eth1'. The internal
> interface is 'eth0'.
>
> Hence your interpretation is right.
>
> a) Log for testing purpose, all syslog traffic from gateway to
> logserver going out through *eth0* to inside. Hence the rule
> is in the OUTPUT chain as the traffic outputs to *eth0* to
> reach the internal network.
>
> b) I know the second rule is wrong. I wanted a rule that logs
> all traffic going to inside through *eth0*, but NOT udp 514
> traffic, as it is dealt in the earlier rule.
>
> Thanks.
>
>
> Reference:
>
> 10/14
>
> Hello,
>
> I needed to send my syslog from 192.16.1.10 (firewall/GW) to
> 192.168.1.3, the logserver. The syslogging worked. But since I
> am monitoring all connections going to the internal
> network(eth0) from outside, the log was filled with the syslog
> connections from the gateway to the logserver.
>
> So I gave 2 rules to help me with that:
>
> To log the syslog traffic (just testing syslog)
>
> #$IPTABLES -A OUTPUT -o eth0 -p udp -s 192.168.1.10/32
> --source-port 514 -d 192.168.1.3/32 --destination-port 514 -m
> limit --limit 15/minute --limit-burst 10 -j LOG --log-prefix
> "Syslog traffictoTest: " # Log packets going to 192.168.1.0
>
> (Rule I really need to log inbound traffic)
>
> #$IPTABLES -A OUTPUT -o eth0 -p udp --destination-port ! 514
> -m limit --limit 1/second --limit-burst 10 -j LOG --log-prefix
> "Output packetsToTest: " # Log packets entering testnet except
> udp 514 for syslog
>
> ----------------
> The Problem:
>
> -----------------
> Only the syslog traffic is received. I lost all logging of
> inbound traffic.
>
> I would appreciate some help on this.
>
> Thanks.
> Menon

Hi Menon,
Since the OUTPUT chain is independent of the FORWARD chain, your log rules are 
completely separate. Also, if you want to log any other traffic originating 
from the FW, just have the 514 log, then the 514 ACCEPT, then catch anything 
after that. No 514's will get that far to be in the 2nd OUTPUT log.

Your forward log entry should be something like:
$IPTABLES -A FORWARD -i eth1 -p tcp -m state --state NEW -j LOG --log-prefix 
"Inbound TCP from Net Login: "
$IPTABLES -A FORWARD -i eth1 -p udp -j LOG --log-prefix "Inbound UDP from Net 
Login: "
(Follow that with anything you want to allow in.)

Hope that helps.
-- 
Pete Nesbitt, rhce