Logging using IP Tables

Issues related to configuring your network
Post Reply
jjrowan
Posts: 132
Joined: 2005/09/10 13:07:15
Contact:

Logging using IP Tables

Post by jjrowan » 2019/03/08 16:52:23

Have some IP addresses that are trying to hack into server.
I entered their ip netblock / 16 to try to block all access but they're still showing up in the /var/log/httpd/access_log and error_log.
I tried adding a line above the -j REJECT line to -j LOG but it isn't logging attempts.
I used my public IP address as a test, restarted IP tables then accessed the web application on the server, wasn't logged.

-A RH-Firewall-1-INPUT -p tcp -m tcp -s x.x.x.x --dport 80 -m state --state NEW -j LOG --log-level 1 --log-prefix "New Connection "

also put

-A RH-Firewall-1-INPUT -p tcp -m tcp -s x.x.x.x --dport 80 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable

But I'm able to access the web site.

I run iptables -L -n and it shows the rules are in effect.

LOG tcp -- x.x.x.x 0.0.0.0/0 tcp dpt:80 state NEW LOG flags 0 level 1 prefix `New Connection '
REJECT tcp -- x.x.x.x 0.0.0.0/0 tcp dpt:80 state NEW reject-with icmp-port-unreachable

From /var/log/httpd/access_log:
x.x.x.x - - [08/Mar/2019:11:43:36 -0500] "GET / HTTP/1.1" 200 706 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
Suggestions?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Logging using IP Tables

Post by TrevorH » 2019/03/08 20:54:22

Post the output from the command iptables-save run as root.

The RH-Firewall-1-INPUT chain hasn't been used since CentOS 5 so I suspect you're following ancient documentation.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jjrowan
Posts: 132
Joined: 2005/09/10 13:07:15
Contact:

Re: Logging using IP Tables

Post by jjrowan » 2019/03/08 22:00:03

iptables-save results:

# Generated by iptables-save v1.3.5 on Fri Mar 8 16:15:02 2019
*nat
:PREROUTING ACCEPT [27659:1970633]
:POSTROUTING ACCEPT [816:67218]
:OUTPUT ACCEPT [816:67218]
COMMIT
# Completed on Fri Mar 8 16:15:02 2019
# Generated by iptables-save v1.3.5 on Fri Mar 8 16:15:02 2019
*mangle
:PREROUTING ACCEPT [156545:56499085]
:INPUT ACCEPT [156202:56442353]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [89790:37130623]
:POSTROUTING ACCEPT [89834:37141205]
COMMIT
# Completed on Fri Mar 8 16:15:02 2019
# Generated by iptables-save v1.3.5 on Fri Mar 8 16:15:02 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [89796:37137815]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j approved_for_ssh
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9100 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.21 -p udp -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -s 108.58.190.132 -p udp -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 161 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.6.0/255.255.255.0 -p tcp -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 33333 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 33333 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 30001 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 30001 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5903 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5803 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.6.4 -p tcp -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -s 5.188.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 46.161.27.51 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 47.105.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 50.192.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 66.240.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 66.248.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 78.194.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 80.76.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 84.37.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 89.79.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 92.53.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 92.245.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 106.12.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 115.159.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 116.196.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 122.155.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 119.237.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 123.206.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 123.207.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 125.26.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 131.0.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 133.130.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 141.98.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 148.70.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 163.172.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 176.32.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 182.88.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 190.181.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 194.63.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 77.72.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 46.29.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 106.75.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 171.13.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 77.72.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 185.92.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 185.153.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -m state --state NEW -j LOG --log-prefix "New Connection " --log-level 1
-A RH-Firewall-1-INPUT -s 174.192.31.81 -p tcp -m tcp --dport 5903 -m state --state NEW -j LOG --log-prefix "New Connection " --log-level 1
-A RH-Firewall-1-INPUT -s 174.192.31.81 -p tcp -m tcp --dport 80 -m state --state NEW -j LOG --log-prefix "New Connection " --log-level 1
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j LOG --log-prefix "New Connection " --log-level 1
-A RH-Firewall-1-INPUT -s 174.192.31.81 -p tcp -m tcp --dport 80 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 185.153.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 185.156.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 185.222.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 185.254.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 211.76.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 227.120.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 202.29.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 203.113.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 206.114.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 207.75.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 156.233.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 192.162.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
-A RH-Firewall-1-INPUT -s 66.240.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Mar 8 16:15:02 2019

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Logging using IP Tables

Post by TrevorH » 2019/03/09 03:01:56

At least 2 reasons there:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Anything destined for ports 80 & 443 has already been accepted by these two rules at this point. If you want to reject from specific subnets then you'll have to insert a rule before those two to drop or reject the traffic before it reaches those lines and is accepted.
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Anything that comes after that catch-all rule is ignored so everything that follows it in your list is never seen.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Logging using IP Tables

Post by jlehtone » 2019/03/10 12:42:01

Code: Select all

iptables --lin -vnL
Should show useful info.

The 'v' adds statistics; how many packets have matched the rule. You should see that nothing after the catch-all rule ever gets a packet.

The '--lin' shows a line-number of each rule. You need that info if you want to insert something right before existing rule.

Post Reply