Tiny Core Linux
Tiny Core Extensions => TCE Q&A Forum => Topic started by: Adam on June 13, 2017, 01:39:10 AM
-
I was wondering where is the location of iptables log since there is no such "/var/log/messages" log in TCL.
I've generated some traffic and it seems like iptables has blocked the traffic. I would like to see what kind of traffic has been blocked.
Thanks
tc@box:/var/log$ sudo /usr/local/sbin/basic-firewall
Your basic firewall is now [operational]
Press enter to continue
tc@box:/var/log$
tc@box:/var/log$ sudo iptables --line-numbers -vL
Chain INPUT (policy DROP 150 packets, 41007 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo any anywhere anywhere
2 164 16608 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3 0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:auth reject-with tcp-reset
Chain FORWARD (policy DROP 202 packets, 10536 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 129 packets, 27318 bytes)
num pkts bytes target prot opt in out source destination
tc@box:/var/log$
tc@box:/var/log$ ls -lah
total 4
drwxrwxr-x 2 root staff 80 Jun 13 12:11 ./
drwxrwxr-x 8 root staff 180 Jul 4 2016 ../
-rw-r--r-- 1 root root 0 Jun 13 12:11 autologin
-rw-rw-r-- 1 root staff 1.9K Jun 13 12:52 wtmp
tc@box:/var/log$
-
You need to use the "syslog" boot code to get /var/log/messages
-
..and you also need to have a LOG rule set for iptables to log anything.
-
You need to use the "syslog" boot code to get /var/log/messages
Thanks Juanito,
Do you have the config sample of the boot code with syslog?
-
menuentry "core" {
linux /boot/vmlinuz quiet text tce=UUID="9b0807fd-1d0c-4c7b-94cd-853923c34e55" waitusb=10:UUID="9b0807fd-1d0c-4c7b-94cd-853923c34e55" noutc syslog
initrd /boot/rootfs.gz /boot/modules.gz
}
-
menuentry "core" {
linux /boot/vmlinuz quiet text tce=UUID="9b0807fd-1d0c-4c7b-94cd-853923c34e55" waitusb=10:UUID="9b0807fd-1d0c-4c7b-94cd-853923c34e55" noutc syslog
initrd /boot/rootfs.gz /boot/modules.gz
}
Thanks Juanito,
Apparently my bootcodes was wrong before. There was no example on http://distro.ibiblio.org/tinycorelinux/faq.html#bootcodes or http://wiki.tinycorelinux.net/wiki:boot_codes_explained, hence I simply copy and paste it at the bottom of /mnt/sda1/boot/grub/menu.lst
BEFORE (WRONG)
tc@box:/var/log$ cat /mnt/sda1/boot/grub/menu.lst
default 0
timeout 0
kernel /boot/vmlinuz quiet text
initrd /boot/core.gz
tinycore {cron|syslog}
tc@box:/var/log$
AFTER (CORRECT)
tc@box:/var/log$ cat /mnt/sda1/boot/grub/menu.lst
default 0
timeout 0
kernel /boot/vmlinuz quiet text syslog
initrd /boot/core.gz
tc@box:/var/log$
Now I can see /var/log/messages ... however, I don't see any source or destination IP Address that has been blocked.
tc@box:/var/log$ ls -lah messages
-rw-r--r-- 1 root root 54.8K Jun 13 22:36 messages
tc@box:/var/log$
-
..and you also need to have a LOG rule set for iptables to log anything.
cool 8)
I'm seeing the log now. This is the steps.
sudo iptables -N LOGGING
sudo iptables -A FORWARD -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A LOGGING -j DROP
LOG :)
user@box:~$ tail -F /var/log/messages | egrep '1.1.1.2|172.16.2.6'
Jun 13 22:57:43 box user.warn kernel: IPTables-Dropped: IN=eth3 OUT=eth2 SRC=1.1.1.2 DST=172.16.2.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=37467 DF PROTO=ICMP TYPE=8 CODE=0 ID=27652 SEQ=0
Jun 13 22:57:58 box user.warn kernel: IPTables-Dropped: IN=eth3 OUT=eth2 SRC=1.1.1.2 DST=172.16.2.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39124 DF PROTO=ICMP TYPE=8 CODE=0 ID=27652 SEQ=15
Reference:
http://www.thegeekstuff.com/2012/08/iptables-log-packets/
-
..and you also need to have a LOG rule set for iptables to log anything.
cool 8)
I'm seeing the log now. This is the steps.
sudo iptables -N LOGGING
sudo iptables -A FORWARD -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A LOGGING -j DROPReference:
http://www.thegeekstuff.com/2012/08/iptables-log-packets/
LOG :)
user@box:~$ tail -F /var/log/messages | egrep '1.1.1.2|172.16.2.6'
Jun 13 22:57:43 box user.warn kernel: IPTables-Dropped: IN=eth3 OUT=eth2 SRC=1.1.1.2 DST=172.16.2.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=37467 DF PROTO=ICMP TYPE=8 CODE=0 ID=27652 SEQ=0
Jun 13 22:57:58 box user.warn kernel: IPTables-Dropped: IN=eth3 OUT=eth2 SRC=1.1.1.2 DST=172.16.2.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=39124 DF PROTO=ICMP TYPE=8 CODE=0 ID=27652 SEQ=15
tc@box:~$ sudo iptables --line-numbers -vL
Chain INPUT (policy ACCEPT 111 packets, 9899 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 486 41368 LOGGING all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 93 packets, 17968 bytes)
num pkts bytes target prot opt in out source destination
Chain LOGGING (1 references)
num pkts bytes target prot opt in out source destination
1 22 1920 LOG all -- any any anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix "IPTables-Dropped: "
2 486 41368 DROP all -- any any anywhere anywhere
tc@box:~$