Wednesday, July 3, 2013

logging new connections with iptables

INSTALL METHOD #1 - iptables is already started & running (live update)

1) Backup existing /etc/sysconfig/iptables

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.pre-LOGNEW-start

2) Save running iptables config

service iptables save

3) Backup running /etc/sysconfig/iptables

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.pre-LOGNEW-running

4) Create a new iptables chain called 'LOGNEW'

iptables -N LOGNEW
iptables -I LOGNEW 1 -m limit --limit 2/min -j LOG --log-prefix "iptables-new: "
#iptables -I LOGNEW 1 -m iprange --src-range 127.0.0.1-127.0.0.255 -j RETURN # disables logging loopbacks
#iptables -I LOGNEW 1 -m iprange --dst-range 223.0.0.1-223.0.0.255 -j RETURN # disables logging multicasts
#iptables -I LOGNEW 1 -m iprange --dst-range 224.0.0.1-224.0.0.255 -j RETURN # disables logging multicasts

5) For all INPUT packets, forward 'NEW' connections to the 'LOGNEW' chain

iptables -I INPUT 1 -m state --state NEW -j LOGNEW

6) Save running iptables config

service iptables save

7) Validate running iptable config

service iptables restart
iptables -S

Verify the following lines exist in the output of iptables -S:

...
-N LOGNEW
-A INPUT -m state --state NEW -j LOGNEW
...
-A LOGNEW -m limit --limit 2/min -j LOG --log-prefix "iptables-new: "


Check the output of /var/log/messages

grep iptables-new: /var/log/messages

-------------------------------------------------------------------------------------------------------------------------------------------------------


INSTALL METHOD #2 - manually modify /etc/sysconfig/iptables

1) Backup existing /etc/sysconfig/iptables

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.pre-LOGNEW-start

2) Edit /etc/sysconfig/iptables

vi /etc/sysconfig/iptables

Below the line starts with ":OUTPUT ACCEPT *", add the following line
:LOGNEW - [0:0]

As the very first statement to the INPUT filter (lines beginning with "-A INPUT ..."), add the following line
-A INPUT -m state --state NEW -j LOGNEW

Above the line begins with "COMMIT", or below the very last statement to the FORWARD filters (lines beginning with "-A FORWARD"), add the following line
# to filter noise, add RETURN (don't log) statements prior to -j LOG
-A LOGNEW -m limit --limit 2/min -j LOG --log-prefix "iptables-new: "

REMOVAL METHOD #1 - with iptables running (live update)

1) Remove the INPUT rule

iptables -D INPUT -m state --state NEW -j LOGNEW

2) Remove the LOGNEW links

while `iptables -D LOGNEW 1`; do iptables -D LOGNEW 1; done

3) Remove the LOGNEW chain

iptables -X LOGNEW