我正在尝试使用iptables记录传出连接。我想要的是,在记录它们的同时删除并接受连接。我发现-j选项需要DROP / REJECT / ACCEPT / LOG。但我想做一些像DROP和LOG或ACCEPT和LOG的东西。有没有办法实现这个目标?
例:
iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP
记录示例:
Feb 19 14:18:06 servername kernel: INPUT:DROP:IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88 SRC=x.x.x.x DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=x PROTO=TCP SPT=x DPT=x WINDOW=x RES=0x00 SYN URGP=0
其他选择:
LOG
Turn on kernel logging of matching packets. When this option
is set for a rule, the Linux kernel will print some
information on all matching packets
(like most IP header fields) via the kernel log (where it can
be read with dmesg or syslogd(8)). This is a "non-terminating
target", i.e. rule traversal
continues at the next rule. So if you want to LOG the packets
you refuse, use two separate rules with the same matching
criteria, first using target LOG
then DROP (or REJECT).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29
letters long, and useful for distinguishing messages in
the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the
log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.
虽然已经超过一年了,我在其他谷歌搜索上偶然发现了这个问题,我相信我可以改进之前的答案,以造福他人。
简短的回答是你不能将两个动作组合在一行中,但是你可以创建一个能够做你想做的事情的链,然后在一个班轮中调用它。
让我们创建一个记录和接受的链:
iptables -N LOG_ACCEPT
让我们填写其规则:
iptables -A LOG_ACCEPT -j LOG --log-prefix "INPUT:ACCEPT:" --log-level 6
iptables -A LOG_ACCEPT -j ACCEPT
现在让我们创建一个记录和删除链:
iptables -N LOG_DROP
让我们填写其规则:
iptables -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
iptables -A LOG_DROP -j DROP
现在,您可以通过跳转(-j)到自定义链而不是默认的LOG / ACCEPT / REJECT / DROP来一次性完成所有操作:
iptables -A <your_chain_here> <your_conditions_here> -j LOG_ACCEPT
iptables -A <your_chain_here> <your_conditions_here> -j LOG_DROP
nflog更好
sudo apt-get -y install ulogd2
ICMP阻止规则示例:
iptables=/sbin/iptables
# Drop ICMP (PING)
$iptables -t mangle -A PREROUTING -p icmp -j NFLOG --nflog-prefix 'ICMP Block'
$iptables -t mangle -A PREROUTING -p icmp -j DROP
并且您可以在日志中搜索前缀“ICMP Block”:
/var/log/ulog/syslogemu.log
在工作中,我需要使用iptables在端口993(IMAPS)和995(POP3S)上记录和阻止SSLv3连接。所以,我把Gert van Dijk的How to take down SSLv3 in your network using iptables firewall? (POODLE)和Prevok的answer结合起来,想出了这个:
iptables -N SSLv3
iptables -A SSLv3 -j LOG --log-prefix "SSLv3 Client Hello detected: "
iptables -A SSLv3 -j DROP
iptables -A INPUT \
-p tcp \! -f -m multiport --dports 993,995 \
-m state --state ESTABLISHED -m u32 --u32 \
"0>>22&0x3C@ 12>>26&0x3C@ 0 & 0xFFFFFF00=0x16030000 && \
0>>22&0x3C@ 12>>26&0x3C@ 2 & 0xFF=0x01 && \
0>>22&0x3C@ 12>>26&0x3C@ 7 & 0xFFFF=0x0300" \
-j SSLv3
LOG
和DROP
,创建一个自定义链(例如SSLv3
):
iptables -N SSLv3
iptables -A SSLv3 -j LOG --log-prefix "SSLv3 Client Hello detected: "
iptables -A SSLv3 -j DROP
LOG
和DROP
重定向到该链(请参阅-j SSLv3
):
iptables -A INPUT \
-p tcp \! -f -m multiport --dports 993,995 \
-m state --state ESTABLISHED -m u32 --u32 \
"0>>22&0x3C@ 12>>26&0x3C@ 0 & 0xFFFFFF00=0x16030000 && \
0>>22&0x3C@ 12>>26&0x3C@ 2 & 0xFF=0x01 && \
0>>22&0x3C@ 12>>26&0x3C@ 7 & 0xFFFF=0x0300" \
-j SSLv3
注意:请注意规则的顺序。这些规则对我来说不起作用,直到我将它们放在防火墙脚本上的那个规则之上:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
对于中国GFW:
sudo iptables -I INPUT -s 173.194.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 173.194.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"
sudo iptables -I INPUT -s 64.233.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 64.233.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"
sudo iptables -I INPUT -s 74.125.0.0/16 -p tcp --tcp-flags RST RST -j DROP
sudo iptables -I INPUT -s 74.125.0.0/16 -p tcp --tcp-flags RST RST -j LOG --log-prefix "drop rst"