These rules come after state tracking and all incoming/outgoing rules for specific services.
# Default Incoming traffic log+block
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j LOG --log-level debug --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 3/s --limit-burst 8 --log-prefix "unsolicited "
$IPTABLES -A REJECTLOG -j DROP
# Reject all other incoming traffic:
$IPTABLES -A INPUT -j REJECTLOG
# default all other outgoing traffic log+block:
$IPTABLES -A OUTPUT -j LOG --log-prefix "bad outgoing " --log-tcp-sequence --log-ip-options --log-tcp-options --log-uid -m limit --limit 2/s --limit-burst 4
$IPTABLES -A OUTPUT -j DROP
Iptables and syslogd
On Debian rsyslog will write the logs from iptables to the following locations: Incoming drops will be logged to debug and outgoing drops to messages. The section in rsyslog.conf that deals with this:# Some "catch-all" log files.
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
On CentOS I had to add a line in the rsyslog.conf for debug level messages to even be written anywhere:
*.=debug -/var/log/debug
Move noisy iptables drops elsewhere
I like to log all unsolicited traffic to one place, rsyslog (default syslog on CentOS and Debian) will let us filter alerts like this. Having iptables fill up my system logs is not too useful.
$ vim /etc/rsyslog.d/iptables.incoming.conf
:msg, startswith, "unsolicited" -/var/log/iptables.incoming.log
& ~
$ /etc/init.d/rsyslog restart
The first line means send all messages that start with "unsolicited" to iptables.incoming.log. The next line (the: & ~) will discard anything not matched on the previous line. If this does not work for you try using "contains" instead of "startswith".
Log rotate
Add the new iptables log to be managed by log rotate.
$ vim /etc/logrotate.conf
/var/log/iptables.incoming.log {
weekly
create 0660 root root
rotate 6
size 2048k
rotate 1
}
Useful programs to complement this
- Psad (port scan attack detector) offers more logging, lookups on attackers and responding: http://cipherdyne.org/psad/
- fwlogwatch is a useful packet filter / firewall / IDS log analyzer. Can build nice html summary's: http://fwlogwatch.inside-security.de/
- A port knocking program like knockknock: http://www.thoughtcrime.org/software/knockknock/
