iptables在一个规则中记录和删除
iptables在一个规则中记录和删除
提问于 2014-02-14 13:43:22
我正在尝试使用iptables记录传出连接。我想要的是,放弃并接受连接,同时也记录它们。我发现-j选项采用DROP/REJECT/ACCEPT/LOG。但是我想做一些像DROP和LOG或者ACCEPT和LOG这样的事情。有没有办法做到这一点?
回答 4
Stack Overflow用户
回答已采纳
发布于 2014-02-20 06:26:30
示例:
iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP日志示例:
Feb 19 14:18:06 servername kernel: INPUT:DROP:IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88 SRC=x.x.x.x DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=x PROTO=TCP SPT=x DPT=x WINDOW=x RES=0x00 SYN URGP=0其他选项:
LOG
Turn on kernel logging of matching packets. When this option
is set for a rule, the Linux kernel will print some
information on all matching packets
(like most IP header fields) via the kernel log (where it can
be read with dmesg or syslogd(8)). This is a "non-terminating
target", i.e. rule traversal
continues at the next rule. So if you want to LOG the packets
you refuse, use two separate rules with the same matching
criteria, first using target LOG
then DROP (or REJECT).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29
letters long, and useful for distinguishing messages in
the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the
log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.Stack Overflow用户
发布于 2015-04-10 00:46:15
虽然已经有一年多的时间了,但我在其他谷歌搜索上偶然发现了这个问题几次,我相信我可以改进之前的答案,为其他人带来好处。
简而言之,您不能将这两个操作组合在一行中,但您可以创建一个链来做您想做的事情,然后在一个一行中调用它。
让我们创建一个链来记录和接受:
iptables -N LOG_ACCEPT让我们填充它的规则:
iptables -A LOG_ACCEPT -j LOG --log-prefix "INPUT:ACCEPT:" --log-level 6
iptables -A LOG_ACCEPT -j ACCEPT现在,让我们创建一个链来记录和删除:
iptables -N LOG_DROP让我们填充它的规则:
iptables -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
iptables -A LOG_DROP -j DROP现在,您可以通过跳转(-j)到您的自定义链,而不是默认的日志/接受/拒绝/丢弃,一次性完成所有操作:
iptables -A <your_chain_here> <your_conditions_here> -j LOG_ACCEPT
iptables -A <your_chain_here> <your_conditions_here> -j LOG_DROPStack Overflow用户
发布于 2016-11-18 00:17:17
nflog更好
sudo apt-get -y install ulogd2ICMP阻止规则示例:
iptables=/sbin/iptables
# Drop ICMP (PING)
$iptables -t mangle -A PREROUTING -p icmp -j NFLOG --nflog-prefix 'ICMP Block'
$iptables -t mangle -A PREROUTING -p icmp -j DROP你可以在日志中搜索前缀"ICMP Block“:
/var/log/ulog/syslogemu.log页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/21771684
复制相关文章
相似问题