I am a system administrator in a middle school and a linux enthusisastic newbie and have just installed a RH9 box as Default Gateway using iptables as firewall. Recently students started finding MSN replicas and are using them. It is a school policy not to allow MSN and I need to stop it. I can find the exe files of MSN easy enough but need to close the MSN traffic on user level and that means the firewall. I understand that closing the port 1863 (MSN) is to no awail since MSN is smart enough to find other ports like 80 to connect. So I need to sniff out the hosts of MSN for IP blocking and am trying to do so with these iptables rules: Chain FORWARD (policy ACCEPT) target prot opt source destination msn_packets tcp -- anywhere anywhere tcp spt:1863 ------ Chain msn_packets (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning ip-options prefix `MSN packet: ' At first, after making the LOG rule I could not find the log file for iptables, then after some reading, curtesy of Google, I made these adjustments to syslog.conf (bottom entry) after creating the file /var/log/iptables.log. ------------- # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console (bla bla, default settings by Red Hat 9) # Iptables - messages #*.info;kern.!warning;mail.none;authpriv.none;cron.none /var/log/iptables.log kern.warning /var/log/iptables.log ------------------------- Nothing happens! Not with kern.warning nor with the commented line with #*.info;kern etc. uncommented. How do I get iptables to log into the /var/log/iptables.log file when the LOG rule is activated? BTW the file iptables.log contains the same text as /var/log/messages and I just don't seem to find these info by Google. I'm in dire need for some help here folks. Sigurjon, the Icelandic binary Viking net-surfer. (the answer is 42:)
![]() |
0 |
![]() |
> Chain msn_packets (1 references) > target prot opt source destination > LOG all -- anywhere anywhere LOG level > warning ip-options prefix `MSN packet: > ------------- > # Iptables - messages > #*.info;kern.!warning;mail.none;authpriv.none;cron.none > /var/log/iptables.log > kern.warning /var/log/iptables.log > ------------------------- > > Nothing happens! Not with kern.warning nor with the commented line > with #*.info;kern etc. uncommented. Thats logical.. Look into syslog and you'll see that it only uses a few standard facilities, each with their own priority settings. The manualpage for syslog (or syslog.conf) should tell you that much: "The facility is one of the following keywords: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7." And to complete this: "The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg). The keywords error, warn and panic are deprecated and should not be used anymore." And to keep this very short but helpfull: "security.warn" would give you all security related issues which are logged through syslog. That could be iptables but also everything security related. The only way to create a fully seperate file through syslog (please note the meaning "system logger") you could use local0 - local7 but only if the program which does the logging supports this approach. From the top of my mind iptables doesn't. I think your only option is to start using the ULOG target and use a program to grab the stuff it produces (using ulogd). > (the answer is 42:) Bingo! -- Groetjes, Peter ..\\ PGP/GPG key: http://www.catslair.org/pubkey.asc
![]() |
0 |
![]() |
Sigurjon wrote: > I am a system administrator in a middle school and a linux > enthusisastic newbie and have just installed a RH9 box as Default > Gateway using iptables as firewall. > > Recently students started finding MSN replicas and are using them. It > is a school policy not to allow MSN and I need to stop it. I can find > the exe files of MSN easy enough but need to close the MSN traffic on > user level and that means the firewall. > > I understand that closing the port 1863 (MSN) is to no awail since MSN > is smart enough to find other ports like 80 to connect. So I need to > sniff out the hosts of MSN for IP blocking and am trying to do so with > these How about closing *all* ports through the firewall? Most services have proxies available. I use proxies for http, https, ftp, nntp and ntp. Assuming you have an email server already, that covers most peoples needs. Mark Atherton
![]() |
0 |
![]() |
On Fri, 21 Nov 2003 15:03:39 +0000, Lion-O wrote: <snip explanation of problem and syslog internals> > > I think your only option is to start using the ULOG target and use a > program to grab the stuff it produces (using ulogd). > > There is another solution (ofcourse there is, this is linux), namely using a different logger. I'm rather fond of syslog-ng, it enables you to filter log messages with regular expressions (as wel as the syslog facilities and log-levels) and can redirect log messages to different files based on these filters. netfilters LOG directive has the options --log-prefix which prefixes the log message with user-defined messages, filtering for these messages allows you to place firewall messages in different files based on the type of infraction identified. >> (the answer is 42:) > > Bingo! Only if you use Base 13 calculations :) -- Sometimes one cannot escape living with the burden of regret Vincent Glotzbach vglotzb at cs dot vu.nl || vglotzb at glotz-its dot nl gpg public key at http://www.cs.vu.nl/~vglotzb/vglotzb.asc
![]() |
0 |
![]() |
Thanks a lot guys. I tried using your advises but now my box is acting in an very peculiar way. It started acting up on me before I could implement your advices. But that is another story... When I have found the cure I will proceed the implementation. Thanks again guys. Sigurjon, the Icelandic binary Viking net-surfer.
![]() |
0 |
![]() |
6944804@talnet.is (Sigurjon) wrote in message news:<eba5e4d3.0312010110.1e9a295e@posting.google.com>... > Thanks a lot guys. I tried using your advises but now my box is acting > in an very peculiar way. > > Sigurjon, the Icelandic binary Viking net-surfer. To ease thing, perhaps I could be so bold as to would suggest changing the way you are approaching this task? As far as I know, this could be achived by using anything from using Mandrake 9.2's wizards and using the Shorewall firewall to using a CD based fire-and-forget solution designed exactly for this purpose. Personally, I would go with the latter. Take a look on http://www.distrowatch.com and you'll see a whole bunch of them. Ones like Devil Linux and Sentry Firewall. The setup for those goes something like this: 1. Burn the cd 2. Save configuration changes to floppy disk 3. Find a pc that boots, and has at least a cd-rom and floppy drive. Keyboard / monitor / mouse may be handy too, but not vital. 4. Boot off the cd 5. Put the floppy disk in 6. Smile There are also some even cooler ones like this: http://www.zelow.no/floppyfw/index.html Yeah. You read correctly. Its a firewall / gateway / dns / dhcp server on a >>single floppy disk<<. And its not the only one either ;) No more worrying "oh, something has gone wrong with my redhat system." The systems become "read only" - off your CD or (write protected) floppy! Apart from that, that they are super-quick to get running. On anything (just about!). Oh, best of all its more fun. :D
![]() |
0 |
![]() |