Tiny Core Linux
Tiny Core Extensions => TCE Q&A Forum => Topic started by: Ulysses_ on October 18, 2011, 04:19:17 PM
-
Starting with TC's CD and installing the iptables extension. What should be added to /opt/bootlocal.sh in order for iptables to log everything that it blocks?
TC is set up fine as a whitelisting gateway with these in /opt/bootlocal:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -p tcp -j DROP
iptables -I FORWARD -p tcp -d 1.1.1.1 -j ACCEPT
iptables -I FORWARD -p tcp -s 1.1.1.1 -j ACCEPT
syslogd
1.1.1.1 is the only IP allowed to connect to/from through this gateway. Everything else is blocked and must be logged. How do you get iptables to log what it blocks above?
-
If this is of any use, syslogd is known to be running alright - dnsmasq.tcz can run while logging to /var/log/messages.
What else is needed? Tried the following line after the DROP line but nothing appeared at /var/log/messages:
iptables -I FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-
It should be ok. Perhaps the limit interferes, or some other rule. When you list the rules (iptables -L -v -n), does the log target counter get hits?
-
Every time I type "iptables -L -v -n" the output changes by only the INPUT line, that line shows more packets and bytes. No change in the LOG line. Is this what you mean?
-
Yes. That means there's nothing to be logged; either no such hits, or they are dropped before logging.
-
Here's the complete output of iptables -L -v -n. Is it saying that something should appear in /var/log/messages?
(http://img254.imageshack.us/img254/3535/image2w.gif)
-
When the LOG line starts with 2 20, doesn't that mean that 2 packets or 120 bytes were logged? Logged before iptables -L -v -n was run, some time when the gateway was being used by another pc?
-
There should've been two lines logged. The byte count is irrelevant to logging.
The counts don't get zeroed by listing them, there's another iptables flag for that.
edit: I tried your log rule, it worked fine for me, got the right output in /var/log/messages.
-
Did you get it working in FORWARD ie in a gateway?
Was it the TC 3.8.4 it worked on?
Did you put any options in the syslogd command when you launched it?
-
TC 4.0.2, clean rules table, and in the output chain for easy testing. I used the syslog bootcode.
edit: Ah, I see now. You're not running klogd, and iptables logs go there.
-
Sorted. It was klogd that had to be running.
So the syslog bootcode activates klogd too, together with syslogd and who knows what else.
Using the logs a script has now been completed that turns a gateway into a whitelisting firewall where the rules are either domain-name-based or IP-based.
-
tc-config:
if [ -n "$SYSLOG" ]; then
/sbin/syslogd && echo "${GREEN}syslog started.${NORMAL}"
/sbin/klogd && echo "${GREEN}klog started."
fi