Very Computer

I've been searching the net and reading the man pages for an easy wasy
to log all DROPed packets in iptables.  I found a bunch of articles that
say to create a logging target that combines a LOG and DROP then jump to
that target.  I used:

iptables -N LOGDROP
iptables -A LOGDROP -j LOG  --log-level info
iptables -A LOGDROP -j DROP

Then on each chain I want to log and drop I use:

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp  \
             --destination-port $NFS_PORT -j LOGDROP

But I started up my machine with this system and I get this error in my
logs:

Jun 16 16:15:21 serengeti firewall: Couldn't load target
`LOGDROP':/lib/iptables/libipt_LOGDROP.so: cannot open shared object
file: No such file or directory
Jun 16 16:15:21 serengeti firewall:
Jun 16 16:15:21 serengeti firewall: Try `iptables -h' or 'iptables
--help' for more information.

Any ideas what I'm doing wrong?

Quote:>Jun 16 16:15:21 serengeti firewall: Couldn't load target
>`LOGDROP':/lib/iptables/libipt_LOGDROP.so: cannot open shared object
>file: No such file or directory
>Jun 16 16:15:21 serengeti firewall:
>Jun 16 16:15:21 serengeti firewall: Try `iptables -h' or 'iptables
>--help' for more information.

>Any ideas what I'm doing wrong?

Your format looks fine - not sure why it would do that to you.  I'm about
to post my tables script - try that one as a test.

--
______________________________
Mike Troutman
        http://www.troutman.org
        http://www.zen-data.com

I'm also getting the errors Unknown arg `--source-port'.  Can anyone
take a look at this and tell me what might be wrong?  I'm trying to
switch from ipchains to iptables, everything seems to be right according
to the man pages but I keep getting errors.

#!/bin/sh

#  /etc/rc.d/rc.firewall

#
----------------------------------------------------------------------------
#  Some definitions for easy maintenance.
#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="ppp0"               # Internet connected interface
LOOPBACK_INTERFACE="lo"                 # or your local naming
convention
LOCAL_INTERFACE_1="eth0"                # internal LAN interface
LOCALNET_1="192.168.0.0/24"             # whatever private range you use

IPADDR="0/0"                            # your IP address
ANYWHERE="0/0"                          # match any IP address

LOOPBACK="127.0.0.0/8"                  # reserved loopback address
range
CLASS_A="10.0.0.0/8"                    # class A private networks
CLASS_B="172.16.0.0/12"                 # class B private networks
CLASS_C="192.168.0.0/16"                # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4"         # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"      # class E reserved addresses
BROADCAST_SRC="0.0.0.0"                 # broadcast source address
BROADCAST_DEST="255.255.255.255"        # broadcast destination address
PRIVPORTS="0-1023"                      # well known, privileged port
range
UNPRIVPORTS="1024:65535"                # unprivileged port range

#
----------------------------------------------------------------------------

NFS_PORT="2049"                         # (TCP/UDP) NFS
SOCKS_PORT="1080"                       # (TCP) Socks

# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063"               # (TCP) X windows

# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535"            # port range for local clients
SSH_REMOTE_PORTS="513:65535"            # port range for remote clients

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

#
----------------------------------------------------------------------------
# Set up logging with a homemade chain

    iptables -N L_DROP
    iptables -A L_DROP -j LOG --log-level info
    iptables -A L_DROP -j DROP

#
----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

    # Remove all existing rules belonging to this filter
    iptables -F
    iptables -F -t nat

    # Remove any existing user-defined chains.
    iptables -X

    # Set the default policy of the filter to deny.
    iptables -P INPUT  L_DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD L_DROP

#
----------------------------------------------------------------------------

    # Enable IP Forwarding, if it isn't already
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Enable TCP SYN Cookie Protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # Enable always defragging Protection
    echo 1 > /proc/sys/net/ipv4/ip_always_defrag

    # Enable broadcast echo  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Enable bad error message  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # Enable IP spoofing protection
    # turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done

    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done

    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f
    done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done

    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
    done

    # These modules are necessary to masquerade their respective
services.
    /sbin/insmod ip_nat_ftp
    /sbin/insmod ip_conntrack_ftp

#
----------------------------------------------------------------------------
# LOOPBACK

    # Unlimited traffic on the loopback interface.

    iptables -A INPUT  -i $LOOPBACK_INTERFACE  -j ACCEPT
    iptables -A OUTPUT -o $LOOPBACK_INTERFACE  -j ACCEPT

#
----------------------------------------------------------------------------
# Unlimited traffic within the local network.

    # All internal machines have access to the fireall machine.

    iptables -A INPUT  -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT

#
----------------------------------------------------------------------------
# Masquerade internal traffic.

    # All internal traffic is masqueraded externally.
    # WARNING:
    #     The iptables functionality is under development.
    #     No filters are applied.  Just masquerading.

    iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE

#
----------------------------------------------------------------------------
# Network Ghouls

    # Deny access to jerks
    # --------------------
    # /etc/rc.d/rc.firewall.blocked contains a list of
    # iptables -A INPUT -i $EXTERNAL_INTERFACE -s address -j L_DROP
    # rules to block from any access.

    # Refuse any connection from problem sites
    if [ -f /etc/rc.d/rc.firewall.blocked ]; then
        . /etc/rc.d/rc.firewall.blocked
    fi

#
----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

    # Refuse incoming packets pretending to be from the external
address.
    #iptables -A INPUT -s $IPADDR -j L_DROP

    # Refuse incoming packets claiming to be from a Class A, B or C
private network
    iptables -A INPUT -s $CLASS_A -j L_DROP
    iptables -A INPUT -s $CLASS_B -j L_DROP
    iptables -A INPUT -s $CLASS_C -j L_DROP

    # Refuse broadcast address SOURCE packets
    iptables -A INPUT -s $BROADCAST_DEST -j L_DROP
    iptables -A INPUT -d $BROADCAST_SRC -j L_DROP

    # Refuse Class D multicast addresses
    # Multicast is illegal as a source address.
    # Multicast uses UDP.
    iptables -A INPUT -s $CLASS_D_MULTICAST -j L_DROP

    # Refuse Class E reserved IP  addresses
    iptables -A INPUT -s $CLASS_E_RESERVED_NET -j L_DROP

    # Refuse special addresses defined as reserved by the IANA.
    # Note:  The remaining reserved addresses are not included.
    # Filtering them causes problems as reserved blocks are
    # being allocated more often now.

    # Note:  this list includes the loopback, multicast, & reserved
addresses.

    # 0.*.*.*           - Can't be blocked for DHCP users.
    # 127.*.*.*         - LoopBack
    # 169.254.*.*       - Link Local Networks
    # 192.0.2.*         - TEST-NET
    # 224-255.*.*.*     - Classes D & E, plus unallocated.

    iptables -A INPUT -s 127.0.0.0/8 -j L_DROP
    iptables -A INPUT -s 169.254.0.0/16 -j L_DROP
    iptables -A INPUT -s 192.0.2.0/24 -j L_DROP
    iptables -A INPUT -s 224.0.0.0/3 -j L_DROP

#
----------------------------------------------------------------------------
# NOTE:
#      The symbolic names used in /etc/services for the port numbers
vary by
#      supplier.  Using them is less error prone and more meaningful,
though.

#
----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

    # NFS: establishing a TCP connection
    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
             --destination-port $NFS_PORT -j L_DROP

    # Xwindows: establishing a connection
    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
             --destination-port $XWINDOW_PORTS -j L_DROP

    # SOCKS: establishing a connection
    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
             --destination-port $SOCKS_PORT -j L_DROP

#
----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp  \
             --destination-port $NFS_PORT -j L_DROP

    # UDP INCOMING TRACEROUTE
    # traceroute usually uses -S 32769:65535 -D 33434:33523

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp  \
             --source-port $TRACEROUTE_SRC_PORTS \
             --destination-port $TRACEROUTE_DEST_PORTS -j L_DROP

#
-----------------------------------------------------------------------------
# ALLOW REQUESTS FOR CERTAIN SERVICES
#
-----------------------------------------------------------------------------

    # FTP (21)
    # ---------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
             --source-port 21 \
             --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
             --source-port 20 \
             --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
             --source-port 20 \
             --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
             --source-port $UNPRIVPORTS \
             --destination-port $UNPRIVPORTS -j ACCEPT

    # TELNET (23)
    # ------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
             --source-port 23 \
...

read more »

I'm still learning iptables myself, but a good practice is always to
flush (-F) your chains before you use them.
So My rules would look like:
iptables -N LOGDROP
iptables -F LOGDROP
iptables -A LOGDROP -j LOG  --log-level info
iptables -A LOGDROP -j DROP

Quote:> Then on each chain I want to log and drop I use:

> iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp  \
>              --destination-port $NFS_PORT -j LOGDROP

You might also try changing the target name to LOG_DROP or something
completely different just in case iptables has a bug. (From the error
message, it appears that it is trying to find a module that may be in
development and hasn't been released yet = bug)

--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
PLEASE NOTE: Spamgard (tm) installed.

------

Can I suggest that you put a whole stack of:

echo -n "Adding <service_name> rules ... "
...
...
echo "Done."

 ... around your groups of rules.  This is an old debugging technique
that allows you to identify axactly what part of you script is causing
the syntax error reports and will help you to narrow down the offending
rules.

Also, make sure your rules are either in one line or properly delimited
with a \ at the end of a line otherwise you will end up with errors. (It
is difficult to tell from your post if this is the case because of word
wrap, but it is worthwhile double checking.)

Have you had a windows box anywhere near you script? Caused me heaps of
trouble when I editted the script and ended up with all sorts of
unexplainable errors in what looked like a perfectly good script.
--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
PLEASE NOTE: Spamgard (tm) installed.

------

I thought of that too.  First I tried LDROP, then LOG_DROP and
log_drop.  They all give the same error that they're trying to load a
module.

Excellent idea.  And I was editing it from my windows machine and FTP'd
it to my server.  I did up and download it in ASCII.  I've also did the
same thing to my ipchains script without any problems.

Here's the script now:
http://www.belletc.net/test/rc.firewall.iptables.txt

I'm going to try editing it in Linux and put everything on it's own line
and add the echos. I also changed the --source-port to --sport.  If you
can see anything wrong let me know..

Quote:>Here's the script now:
>http://www.belletc.net/test/rc.firewall.iptables.txt

The value in iptables lies in the fact that you don't need wide open ports
and specific rules.  You don't have to block a port, just dump everything
and allow what you like.  Log the blocked packets.

For example...in your script:

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
             -s $ANYWHERE --sport 21 \
             --dport $UNPRIVPORTS -j ACCEPT

You are allowing any fin/ack packets from source 21 to your high range tcp.  
This is unnecessary under tables.  Just allow incoming to 21 and run it
through a state filter.  As is, I could port scan your high range using a
fin scan and go undetected.

--
______________________________
Mike Troutman
        http://www.troutman.org
        http://www.zen-data.com

Another method of doing that is just to execute the script using
sh -x  <scriptname>
This will show you every step as it executes, along with the variable
expansions etc. A very handle tool for debugging.

Quote:> Have you had a windows box anywhere near you script? Caused me heaps of
> trouble when I editted the script and ended up with all sorts of
> unexplainable errors in what looked like a perfectly good script.

Good suggestion. Vi is your friend...

bryan

--

Stupidity got us into this mess -- why can't it get us out?

Quote:> http://www.belletc.net/test/rc.firewall.iptables.txt

I put everything on one line a changed a few things but am still getting
the errors:

Jun 16 19:23:43 serengeti firewall: iptables v1.2.2: Couldn't load
target
`log_drop':/lib/iptables/libipt_log_drop.so: cannot open shared object
file: No such file or
directory

Anyone have any ideas?