Hi,
I've created a custom chain LOG_DROP to log certain packets and drop them. The problem is that I can't use it on policies.
Is there any way to get something which works as 'iptables -P INPUT LOG_DROP' should?
I commented out allowing port 80 and 443 so I could test that accessing the website (and failing, because it's not explicitly accepted) shows something in the log, but it doesn't.
I've created a custom chain LOG_DROP to log certain packets and drop them. The problem is that I can't use it on policies.
Is there any way to get something which works as 'iptables -P INPUT LOG_DROP' should?
I commented out allowing port 80 and 443 so I could test that accessing the website (and failing, because it's not explicitly accepted) shows something in the log, but it doesn't.
Code:
iptables -F
iptables -X
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-level warning --log-prefix 'INPUT-DROP: '
iptables -A LOG_DROP -j DROP
iptables -N chain-incoming-ssh
iptables -A chain-incoming-ssh -s my.ip.addr.ess -j ACCEPT
iptables -A chain-incoming-ssh -j LOG_DROP
iptables -N chain-outgoing-services
iptables -A chain-outgoing-services -p tcp --dport 53 -j ACCEPT
iptables -A chain-outgoing-services -p udp --dport 53 -j ACCEPT
iptables -A chain-outgoing-services -p tcp --dport 123 -j ACCEPT
iptables -A chain-outgoing-services -p udp --dport 123 -j ACCEPT
#iptables -A chain-outgoing-services -p tcp --dport 80 -j ACCEPT
#iptables -A chain-outgoing-services -p tcp --dport 443 -j ACCEPT
iptables -A chain-outgoing-services -p tcp --dport 22 -j ACCEPT
iptables -A chain-outgoing-services -p icmp -j ACCEPT
iptables -A chain-outgoing-services -j LOG_DROP
iptables -N chain-states
iptables -A chain-states -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -p udp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -j RETURN
iptables -A INPUT -m conntrack --ctstate INVALID -j LOG_DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j chain-states
iptables -A OUTPUT -j chain-states
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j chain-incoming-ssh
iptables -A OUTPUT -j chain-outgoing-services
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP