iptables IPv6 logging
Curt Howland
Howland at priss.com
Fri Jan 3 20:57:28 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
So, I rebooted into kernel 3.2.x and logging works just fine.
However, in trying to recompile 3.12, I don't find that logging
module. I searched in "menuconfig", but it wasn't there.
The reason for this is that my home router does no packet filtering on
IPv6 packets at all. None of the firewall / port-forwarding /
virtual-server features exist for v6, so I'd best get my host
firewalling in order.
I built a very simple set of rules as a test, using examples online of
course, and they seem to be working for all the simplicity. I see few
packets getting dropped in the log, mostly broadcast packets from my
one Windows machine and the router itself.
Some day I will take the router out and connect a system directly to
the 'Net to see, again, the endless attacks, port scans, and so on.
Here are the rules:
# Generated by ip6tables-save v1.4.14 on Fri Jan 3 20:55:13 2014
*filter
:INPUT DROP [65:5200]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [64250:5861897]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p ipv6-icmp -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -m state --state INVALID -j DROP
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -m limit --limit 3/min --limit-burst 10 -j
LOG --log-prefix "[INPUT6]: "
COMMIT
# Completed on Fri Jan 3 20:55:13 2014
# Generated by iptables-save v1.4.14 on Fri Jan 3 20:55:40 2014
*filter
:INPUT DROP [82:23102]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [69638:12005599]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p ipv6-icmp -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -m state --state INVALID -j DROP
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -m limit --limit 3/min --limit-burst 10 -j
LOG --log-prefix "[INPUT4]: "
COMMIT
# Completed on Fri Jan 3 20:55:40 2014
- --
You may my glories and my state dispose,
But not my griefs; still am I king of those.
--- William Shakespeare, "Richard II"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iF4EAREIAAYFAlLHaogACgkQtk9X6NaR4am0vwEAqhTBIK8FYq5p8RWNIqFnbcas
koxcgR9q/9X7Qt2BaoMBAMJrqrFK49PhVWeFc2694luEGRjGUQug3U987IPu+yYj
=SQap
-----END PGP SIGNATURE-----
More information about the gnhlug-discuss
mailing list