Friday, October 30, 2009

Linux Securirty Notes 15: IPTables 5 :IPTables Targets (-j)

IPTables Targets(-j)
Commonly used targets are
     Sends packtes to other rule or process

     Drops the packet silently. Remote machine will not be aware about what happend to the packet.

     When the rule met an error msg is send to client.
Eg of Reject:-

# iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

This will reject all the echo request part with a msg icmp-port-unreachable. If we ping to the host we will get a destination host unreachable.

     This is used to redirect a current traffic to a desired target. It is applied to PREROUTING chain of NAT table.

# iptables -t nat -A PREROUTING -p tcp --dport 3128 -j REDIRECT --to-port 80

     This will redirect all the trafic coming to the destination port 3128 to 80.

# iptables -L -n -t nat -v

     Test with the verbose mode to get the packet count which hits the rule.

5. LOG
     This allow us to log the traffic which meets the rules from the level of debug to emergency using syslog.

IPTable Logs:
     It relies upon the kernel(kern) facility in syslog. So have to setup the syslog for logging the iptables activities.

Setup Logging
     Primarily we enable the logging in IPTables
Enabling the Log for a chain

# iptables -I INPUT 1 -p tcp --dport 22 -j LOG

This will start logging for the traffic which meets the above rule.(Logs all the incoming ssh request.) The default level of logging is warning. The Log level corresponds to the syslog.

# iptables -L -n -v

Check any packets hits the log

# tail -f /var/log/messages

This is the default place where undefined facilities logs to.So we the kern facility has been logging to /var/log/messages.
Configure syslog to log iptables activity separately:
We will change the facility to log to a seperate file

# vi /etc/syslog.conf
kern.none /var/log/messeges
kern.* /var/log/firewall.log

This will stop the kern facility to log to /var/log/messeges and redirects all levels of logs to /var/log/firewall.log

# service syslog reload

This will restart the syslog daemon and creates the file /var/log/firewall.log.
Test the Logging information by creating the traffic to port 22 on host.

# tail -f /var/log/firewall.log

brief about the log format:-
time- syslog facility - interface that revived the tracfic- MAC address of the remote system- MAC address of the local system - SRC IP- DSTIP - ID=packet sequence number - SPT=source port - DPT=destination port etc

Generally logging should be enabled for separate chains & a specific rule. A catch all log for all the traffic will grow the log file numerously.

Loging All trafic

# iptables -A INPUT -j LOG
# tail -f /var/log/firewall.log

This will Log all traffic destined to the local server(INPUT). This will log all the protocols

Log All except a perticular protocol from host

# iptables -I INPUT 1 -p tcp ! --dport 22 -src -j LOG
# tail -f /var/log/firewall.log

This will log everything except traffic to destination port 22

Log Excluding Multiple port in single rule

# iptables -I INPUT 1 -m multiport -p tcp --dport !80,8080 -j LOG
# tail -f /var/log/firewall.log

This will log all traffic except packet destined to port 80 and 8080.

Log using separate chains
Now we will check how to create a separate chain in IPTables for logging activities.
Create a New chain

# iptables -N LOGGER

Create a reference in INPUT chain to new chain LOG

# iptables -I INPUT 1 -j LOGGER

Create the logging rule in chain LOG

# iptables -A LOGGER -m multiport -p tcp --dport 21,22,80,143,8080 -j LOG
# tail -f /var/log/firewall.log

This will start logging ports 21,22,80,143 & 8080.

Loging the ssh access to the console.
In iptables:
Create a New CHAIN

# iptables -N SSHLOG

Create a reference in INPUT chain to new chain SSHLOG

# iptables -I INPUT 1 -j SSHLOG

Create the loging rule in chain LOG

# iptables -A LOGGER -p tcp --dport 22 -j LOG

In syslog:

# vim /etc/syslog.conf
kern.* /dev/console
# service syslogd restart

This will start logging any ssh access to the console.

Prefixing Interesting Traffic with a Log Prefix(--log-prefix "log prefix")

# iptables -A LOGGER -p tcp --dport 22 -j LOG --log-prefix "SSH Access Logs"

This will prefix the given string to the log. So it is easy to grep/awk the content from the log file.
The Maximum prefix length is 29 characters.

--log-level (debug to emer)
This will decide the level of log from debug to emergency level.

No comments:

Post a Comment

tag ur valuable ideas below