Am Do, den 04.03.2004 schrieb Don Levey um 22:27:
> fedora-list-admin@xxxxxxxxxx wrote:
>
> > No, there is no difference between REJECT and DROP in that issue. To
> > log REJECTs and DROPs (I dislike DROP much) you have to set up proper
> > logging rules with iptables. As an example you might log events with
> > something like:
> >
> > iptables -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags
> > FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 10/min -j LOG
> > --log-prefix "NMAP-XMAS SCAN: " --log-level 7 --log-tcp-options
> > --log-ip-options
> >
>
> And just as I was looking into how to log events...
> Two quick questions:
> 1) Since placement matters, should I put this at the beginning of my iptables file, or at the end?
> 2) Is that all one line, or four (as above)?
>
> -Don
Don,
always have in mind that netfilter routed with iptables works as a
chain: the first matching rule will catch the packet and prevent further
chain checking if you jump out by your rule.
So where you place logging rules depends on what you want to log. My
example shows logging for specific scans. You would want to put such a
rule near top of your chain(s). Look at Jane's answer and how she
creates a specific, new chain for logging purposes.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2174.nptl
Sirendipity 23:10:03 up 14 days, 43 users, load average: 0.39, 0.43,
[ ÎÎÏÎÎ Ï'ÎÏÏÎÎ - gnothi seauton ]
my life is a planetarium - and you are the stars
