• Important: We recently upgraded our forum software - please let us know if you run into any issues.

iptables log and drop on INPUT policy

AntiRix

New Member
Hi,

I've created a custom chain LOG_DROP to log certain packets and drop them. The problem is that I can't use it on policies.

Is there any way to get something which works as 'iptables -P INPUT LOG_DROP' should?

I commented out allowing port 80 and 443 so I could test that accessing the website (and failing, because it's not explicitly accepted) shows something in the log, but it doesn't.

Code:
iptables -F
iptables -X

iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-level warning --log-prefix 'INPUT-DROP: '
iptables -A LOG_DROP -j DROP

iptables -N chain-incoming-ssh
iptables -A chain-incoming-ssh -s my.ip.addr.ess -j ACCEPT
iptables -A chain-incoming-ssh -j LOG_DROP

iptables -N chain-outgoing-services
iptables -A chain-outgoing-services -p tcp --dport 53 -j ACCEPT
iptables -A chain-outgoing-services -p udp --dport 53 -j ACCEPT
iptables -A chain-outgoing-services -p tcp --dport 123 -j ACCEPT
iptables -A chain-outgoing-services -p udp --dport 123 -j ACCEPT
#iptables -A chain-outgoing-services -p tcp --dport 80 -j ACCEPT
#iptables -A chain-outgoing-services -p tcp --dport 443 -j ACCEPT
iptables -A chain-outgoing-services -p tcp --dport 22 -j ACCEPT
iptables -A chain-outgoing-services -p icmp -j ACCEPT
iptables -A chain-outgoing-services -j LOG_DROP

iptables -N chain-states
iptables -A chain-states -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -p udp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A chain-states -j RETURN

iptables -A INPUT -m conntrack --ctstate INVALID -j LOG_DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -j chain-states
iptables -A OUTPUT -j chain-states

iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j chain-incoming-ssh

iptables -A OUTPUT -j chain-outgoing-services

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
 

Members online

No members online now.

Top