我正在尝试使用iptables记录传出连接。我想要的是,放弃并接受连接,同时也记录它们。我发现-j选项采用DROP/REJECT/ACCEPT/LOG。但是我想做一些像DROP和LOG或者ACCEPT和LOG这样的事情。有没有办法做到这一点?
发布于 2014-02-20 06:26:30
示例:
iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A INPUT -j DROP
日志示例:
Feb 19 14:18:06 servername kernel: INPUT:DROP:IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88 SRC=x.x.x.x DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=x PROTO=TCP SPT=x DPT=x WINDOW=x RES=0x00 SYN URGP=0
其他选项:
LOG
Turn on kernel logging of matching packets. When this option
is set for a rule, the Linux kernel will print some
information on all matching packets
(like most IP header fields) via the kernel log (where it can
be read with dmesg or syslogd(8)). This is a "non-terminating
target", i.e. rule traversal
continues at the next rule. So if you want to LOG the packets
you refuse, use two separate rules with the same matching
criteria, first using target LOG
then DROP (or REJECT).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29
letters long, and useful for distinguishing messages in
the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the
log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
--log-uid
Log the userid of the process which generated the packet.
发布于 2015-04-10 00:46:15
虽然已经有一年多的时间了,但我在其他谷歌搜索上偶然发现了这个问题几次,我相信我可以改进之前的答案,为其他人带来好处。
简而言之,您不能将这两个操作组合在一行中,但您可以创建一个链来做您想做的事情,然后在一个一行中调用它。
让我们创建一个链来记录和接受:
iptables -N LOG_ACCEPT
让我们填充它的规则:
iptables -A LOG_ACCEPT -j LOG --log-prefix "INPUT:ACCEPT:" --log-level 6
iptables -A LOG_ACCEPT -j ACCEPT
现在,让我们创建一个链来记录和删除:
iptables -N LOG_DROP
让我们填充它的规则:
iptables -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6
iptables -A LOG_DROP -j DROP
现在,您可以通过跳转(-j)到您的自定义链,而不是默认的日志/接受/拒绝/丢弃,一次性完成所有操作:
iptables -A <your_chain_here> <your_conditions_here> -j LOG_ACCEPT
iptables -A <your_chain_here> <your_conditions_here> -j LOG_DROP
发布于 2016-11-18 00:17:17
nflog更好
sudo apt-get -y install ulogd2
ICMP阻止规则示例:
iptables=/sbin/iptables
# Drop ICMP (PING)
$iptables -t mangle -A PREROUTING -p icmp -j NFLOG --nflog-prefix 'ICMP Block'
$iptables -t mangle -A PREROUTING -p icmp -j DROP
你可以在日志中搜索前缀"ICMP Block“:
/var/log/ulog/syslogemu.log
https://stackoverflow.com/questions/21771684
复制相似问题