f



Trouble with logging iptables LOG into a .log file

I am a system administrator in a middle school and a linux
enthusisastic newbie and have just installed a RH9 box as Default
Gateway using iptables as firewall.

Recently students started finding MSN replicas and are using them. It
is a school policy not to allow MSN and I need to stop it. I can find
the exe files of MSN easy enough but need to close the MSN traffic on
user level and that means the firewall.

I understand that closing the port 1863 (MSN) is to no awail since MSN
is smart enough to find other ports like 80 to connect. So I need to
sniff out the hosts of MSN for IP blocking and am trying to do so with
these

iptables rules:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
msn_packets  tcp  --  anywhere             anywhere           tcp
spt:1863
------
Chain msn_packets (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level
warning ip-options prefix `MSN packet:

' 

At first, after making the LOG rule I could not find the log file for
iptables, then after some reading, curtesy of Google, I made these
adjustments to syslog.conf (bottom entry) after creating the file
/var/log/iptables.log.
-------------
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

(bla bla, default settings by Red Hat 9)

# Iptables - messages
#*.info;kern.!warning;mail.none;authpriv.none;cron.none
/var/log/iptables.log
kern.warning    /var/log/iptables.log
-------------------------

Nothing happens! Not with kern.warning nor with the commented line
with #*.info;kern etc. uncommented.

How do I get iptables to log into the /var/log/iptables.log file when
the LOG rule is activated?

BTW the file iptables.log contains the same text as /var/log/messages
and I just don't seem to find these info by Google.

I'm in dire need for some help here folks.

Sigurjon, the Icelandic binary Viking net-surfer.

(the answer is 42:)
0
6944804
11/19/2003 11:40:00 PM
comp.os.linux.security 2854 articles. 0 followers. Post Follow

5 Replies
792 Views

Similar Articles

[PageSpeed] 22

> Chain msn_packets (1 references)
> target     prot opt source               destination         
> LOG        all  --  anywhere             anywhere           LOG level
> warning ip-options prefix `MSN packet:
> -------------
> # Iptables - messages
> #*.info;kern.!warning;mail.none;authpriv.none;cron.none
> /var/log/iptables.log
> kern.warning    /var/log/iptables.log
> -------------------------
>
> Nothing happens! Not with kern.warning nor with the commented line
> with #*.info;kern etc. uncommented.

Thats logical..  Look into syslog and you'll see that it only uses a few
standard facilities, each with their own priority settings. The
manualpage for syslog (or syslog.conf) should tell you that much:

"The facility is one of the following keywords: auth, authpriv, cron,
daemon, ftp, kern, lpr, mail, mark, news, security (same as auth),
syslog, user, uucp and local0 through local7."

And to complete this:

"The priority is one of the following keywords, in ascending order:
debug, info, notice, warning, warn (same as warning), err, error (same
as err), crit, alert, emerg, panic (same as emerg). The keywords error,
warn and panic are deprecated and should not be used anymore."

And to keep this very short but helpfull: "security.warn" would give you
all security related issues which are logged through syslog. That could
be iptables but also everything security related.


The only way to create a fully seperate file through syslog (please note
the meaning "system logger") you could use local0 - local7 but only if
the program which does the logging supports this approach. From the top
of my mind iptables doesn't.

I think your only option is to start using the ULOG target and use a
program to grab the stuff it produces (using ulogd).


> (the answer is 42:)

Bingo!


-- 
Groetjes, Peter

..\\ PGP/GPG key: http://www.catslair.org/pubkey.asc
0
Lion
11/21/2003 3:03:39 PM
Sigurjon wrote:
> I am a system administrator in a middle school and a linux
> enthusisastic newbie and have just installed a RH9 box as Default
> Gateway using iptables as firewall.
> 
> Recently students started finding MSN replicas and are using them. It
> is a school policy not to allow MSN and I need to stop it. I can find
> the exe files of MSN easy enough but need to close the MSN traffic on
> user level and that means the firewall.
> 
> I understand that closing the port 1863 (MSN) is to no awail since MSN
> is smart enough to find other ports like 80 to connect. So I need to
> sniff out the hosts of MSN for IP blocking and am trying to do so with
> these

How about closing *all* ports through the firewall? Most services have 
proxies available. I use proxies for http, https, ftp, nntp and ntp. 
Assuming you have an email server already, that covers most peoples needs.

Mark Atherton

0
Mark
11/21/2003 7:15:21 PM
On Fri, 21 Nov 2003 15:03:39 +0000, Lion-O wrote:

<snip explanation of problem and syslog internals> 
> 
> I think your only option is to start using the ULOG target and use a
> program to grab the stuff it produces (using ulogd).
> 
> 

There is another solution (ofcourse there is, this is linux), namely using
a different logger.

I'm rather fond of syslog-ng, it enables you to filter log messages with regular
expressions (as wel as the syslog facilities and log-levels) and can
redirect log messages to different files based on these filters.

netfilters LOG directive has the options --log-prefix which prefixes the
log message with user-defined messages, filtering for these messages
allows you to place firewall messages in different files based on the type
of infraction identified.


>> (the answer is 42:)
> 
> Bingo!

Only if you use Base 13 calculations :)

-- 
Sometimes one cannot escape living with the burden of regret
Vincent Glotzbach
vglotzb at cs dot vu.nl || vglotzb at glotz-its dot nl
gpg public key at http://www.cs.vu.nl/~vglotzb/vglotzb.asc

0
Vincent
11/24/2003 3:41:54 PM
Thanks a lot guys. I tried using your advises but now my box is acting
in an very peculiar way. It started acting up on me before I could
implement your advices. But that is another story... When I have found
the cure I will proceed the implementation.

Thanks again guys.


Sigurjon, the Icelandic binary Viking net-surfer.
0
6944804
12/1/2003 9:10:57 AM
6944804@talnet.is (Sigurjon) wrote in message news:<eba5e4d3.0312010110.1e9a295e@posting.google.com>...
> Thanks a lot guys. I tried using your advises but now my box is acting
> in an very peculiar way.
> 
> Sigurjon, the Icelandic binary Viking net-surfer.

To ease thing, perhaps I could be so bold as to would suggest changing
the way you are approaching this task? As far as I know, this could be
achived by using anything from using Mandrake 9.2's wizards and using
the Shorewall firewall to using a CD based fire-and-forget solution
designed exactly for this purpose. Personally, I would go with the
latter. Take a look on http://www.distrowatch.com and you'll see a
whole bunch of them. Ones like Devil Linux and Sentry Firewall.

The setup for those goes something like this:

1. Burn the cd
2. Save configuration changes to floppy disk
3. Find a pc that boots, and has at least a cd-rom and floppy drive.
Keyboard / monitor / mouse may be handy too, but not vital.
4. Boot off the cd
5. Put the floppy disk in
6. Smile

There are also some even cooler ones like this:

http://www.zelow.no/floppyfw/index.html

Yeah. You read correctly. Its a firewall / gateway / dns / dhcp server
on a >>single floppy disk<<. And its not the only one either ;)

No more worrying "oh, something has gone wrong with my redhat system."
The systems become "read only" - off your CD or (write protected)
floppy!

Apart from that, that they are super-quick to get running. On anything
(just about!). Oh, best of all its more fun. :D
0
comeand
12/22/2003 8:07:24 PM
Reply: