Currently /etc/init.d/iptables panic just drops all packets, w/o any logging being done. Being under some sort of attack on the last minutes I had the idea of a more useful panic option, which besides DROPing everything, could also log everything that's being dropped. So I changed my /etc/init.d/iptables script. The relevant change is on the panic() function. Where it reads: set_table_policy $a DROP it should be replaced by: ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_PANIC}" And then I define on /etc/conf.d/iptables, the IPTABLES_PANIC variable: IPTABLES_PANIC="/var/lib/iptables/lock-down" Where my lock-down table rejects everything but also logs it: *filter :INPUT ACCEPT [3265:459381] :FORWARD ACCEPT [269:188710] :OUTPUT ACCEPT [3545:243333] #final reject everything rule -A INPUT -i eth1 -p tcp -j LOG --log-prefix "intruder " -A INPUT -i eth1 -p tcp -j REJECT -A OUTPUT -p tcp -j LOG --log-prefix "outruder " -A OUTPUT -p tcp -j REJECT COMMIT In the course of implementing this idea the attack went away and I didn't get the chance to log who was trying to packet me, but now it suffices to type /etc/init.d/iptables panic. Do you think it would possible having some variation of my idea added to the baselayout scripts? Reproducible: Always Steps to Reproduce: 1. 2. 3.
how about this: --- files/iptables-1.3.2.confd 12 Jul 2005 02:38:29 -0000 1.1 +++ files/iptables-1.3.2.confd 28 Aug 2005 06:59:56 -0000 @@ -9,3 +9,6 @@ SAVE_RESTORE_OPTIONS="-c" # Save state on stopping iptables SAVE_ON_STOP="yes" + +# Log options when going into 'panic-log' state +PANIC_LOG_OPTS="--log-prefix 'panic-log '" --- files/iptables-1.3.2.init 10 Aug 2005 23:11:12 -0000 1.2 +++ files/iptables-1.3.2.init 28 Aug 2005 06:59:56 -0000 @@ -3,7 +3,7 @@ # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.2 2005/08/10 23:11:12 vapier Exp $ -opts="save reload panic" +opts="save reload panic panic_log" iptables_name=${SVCNAME} if [[ ${iptables_name} != "iptables" && ${iptables_name} != "ip6tables" ]] ; then @@ -109,3 +109,9 @@ panic() { done eend $? } + +panic_log() { + panic + iptables -I INPUT -j LOG ${PANIC_LOG_OPTS} + iptables -I OUTPUT -j LOG ${PANIC_LOG_OPTS} +}
I tried your suggested modifications but they didn't work. After much fiddling with iptables I figured out it wasn't so simple to LOG and DROP all the packets. The packets might be first intercepted by a myriad of TARGETs on different tables, depending on how your kernel is configured. Here the raw and mangle tables were having precedence over the filter table, and so after setting the policy to DROP, the packets were droped when they first reached raw/mangle, and there was no logging being done. Inspired by the way the panic() function does the policy setting I devised a fail-proof (I suppose) way to DROP *and* LOG all packets. I attached my proposed patch with my solution. Basically it creates a user defined CHAIN 'BAD', which has as rules DROP and LOG everything. It then sets this rule to every chain on every table currently active. I also had to do some minor modifications on the set_table_policy() function, which was missing the 'raw' table from its list of tables. The reload() function had to be changed too (start was never being reached and a panic/panic_log followed by reload wasn't restarting the service). Finally I added an add_table_rule() function, which is a minor modification of set_table_policy(). I believe that now it will work on a much broader scenarios of kernel configs.
Created attachment 67086 [details, diff] Patch for my suggest modificatoins.
dont really worth maintenance effort here ... if you need something more powerful, i'd suggest looking into a real firewall script
