iptables IPv6 logging

Curt Howland Howland at priss.com
Fri Jan 3 20:57:28 EST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


So, I rebooted into kernel 3.2.x and logging works just fine.

However, in trying to recompile 3.12, I don't find that logging 
module. I searched in "menuconfig", but it wasn't there.

The reason for this is that my home router does no packet filtering on 
IPv6 packets at all. None of the firewall / port-forwarding / 
virtual-server features exist for v6, so I'd best get my host 
firewalling in order.

I built a very simple set of rules as a test, using examples online of 
course, and they seem to be working for all the simplicity. I see few 
packets getting dropped in the log, mostly broadcast packets from my 
one Windows machine and the router itself.

Some day I will take the router out and connect a system directly to 
the 'Net to see, again, the endless attacks, port scans, and so on.

Here are the rules:

# Generated by ip6tables-save v1.4.14 on Fri Jan  3 20:55:13 2014
*filter
:INPUT DROP [65:5200]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [64250:5861897]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p ipv6-icmp -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -m state --state INVALID -j DROP
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -m limit --limit 3/min --limit-burst 10 -j 
LOG --log-prefix "[INPUT6]: "
COMMIT
# Completed on Fri Jan  3 20:55:13 2014

# Generated by iptables-save v1.4.14 on Fri Jan  3 20:55:40 2014
*filter
:INPUT DROP [82:23102]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [69638:12005599]
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p ipv6-icmp -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -m state --state INVALID -j DROP
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -m limit --limit 3/min --limit-burst 10 -j 
LOG --log-prefix "[INPUT4]: "
COMMIT
# Completed on Fri Jan  3 20:55:40 2014




- -- 
You may my glories and my state dispose,
But not my griefs; still am I king of those.
 --- William Shakespeare, "Richard II"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iF4EAREIAAYFAlLHaogACgkQtk9X6NaR4am0vwEAqhTBIK8FYq5p8RWNIqFnbcas
koxcgR9q/9X7Qt2BaoMBAMJrqrFK49PhVWeFc2694luEGRjGUQug3U987IPu+yYj
=SQap
-----END PGP SIGNATURE-----

More information about the gnhlug-discuss mailing list