On Mon, 2005-11-28 at 16:27 -0600, Jonathan Carpenter wrote:
> I am trying to block spammers with iptables but I am also wanting to
> log each dropped connection
> my syntax is
>
> iptables -I INPUT -s 222.251.0.0/17 -j DROP
>
> How could I change this syntax so that it sent me some sort of
> information to the /var/log/messages or some other log
> file so that I could make sure it was working?
It's a long time since I played with that sort of thing, but I needed to
put logging rules in before drop rules (there's nothing to log, by
then).
Of course, you want to know if it was dropped, so you'd need two rules,
one before (logging attempt) and after (logging anything that didn't get
dropped), and you'd want to put some text into your log indicating which
logging rule wrote to the log.
This is just one of my old sets of logging and reject rules, to give
some example of what I used:
iptables --append INPUT --jump LOG --protocol tcp --in-interface ppp+ --destination-port 113 --log-prefix "firewall{auth}: "
iptables --append INPUT --jump LOG --protocol udp --in-interface ppp+ --destination-port 113 --log-prefix "firewall{auth}: "
iptables --append INPUT --jump REJECT --reject-with tcp-reset --protocol tcp --in-interface ppp+ --destination-port 113
iptables --append INPUT --jump REJECT --reject-with icmp-port-unreachable --protocol udp --in-interface ppp+ --destination-port 113
NB:
1. I don't use the abbreviations, so I don't have to look up what they
mean.
2. These rules used REJECT, not DROP, on purpose. But the same sort of
thing applies.
--
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.
