Hello William, thanks for the reply! ipset would be nice, but it doesn't solve the logging issue.
I have about 30 rules like the ones below that need to be logged and dropped if matched with iptables. (Both in INPUT and FORWARD) -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -s 169.254.0.0/16 -j DROP -s 172.16.0.0/12 -j DROP -s 192.0.2.0/24 -j DROP As I understand it there are two ways to log and drop packets that matched a specific rule in iptables. 1.) Separate LOG and DROP rules, for each IP, but this is inefficient. -A INPUT -j Block -A FORWARD -j Block -A Block -s 169.254.0.0/16 -j LOG -A Block -s 169.254.0.0/16 -j DROP -A Block -s 172.16.0.0/12 -j LOG -A Block -s 172.16.0.0/12 -j DROP 2.) The only other way, create separate chains for bad IPs and LOG/DROP, then jump in between. But Dan Ritter says this is problematic, because bad IPs are not dropped in Block chain, but only after jumping to the Logger chain. -N Block -N Logger -A INPUT -j Block -A FORWARD -j Block -A Block -s 169.254.0.0/16 -j Logger -A Block -s 172.16.0.0/12 -j Logger -A Block -s 192.0.2.0/24 -j Logger -A Logger -j LOG -A Logger -j DROP I have been searching for 48h, but there is no other way to log and drop packets. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, January 7th, 2022 at 6:20 AM, Willian Pires <willian_pi...@hotmail.com> wrote: > Sorry, try ipset to create a list and combine it with appropriated netfilter > rule to blocke networks in one rule, instead use 1 rule per class. > > Sent from my Galaxy > > -------- Original message -------- > From: linux_forum1 <linux_for...@protonmail.com> > Date: 1/6/22 17:11 (GMT-03:00) > To: Dan Ritter <d...@randomstring.org> > Cc: debian-firewall@lists.debian.org > Subject: Re: Is this even POSSIBLE? > > Hello Dan! > > Thank you so much for the reply! > > Yes that helps a lot, but I have 2 follow up questions if you don't mind haha. > > 1.) When you say " -A INPUT -j Block puts the chain in order", you mean that > at this point iptables will look for any rules appended to the Block chain, > no matter where they are? This would make sense cz then the order wouldn't > matter and you can jump to a chain in the beginning, whose rules are defined > at the bottom for example. > > 2.) I want to log when one of these rules gets matched. > (It's 30 - 40 rules in total) > > -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > -A Block -s 169.254.0.0/16 -j DROP > -A Block -s 172.16.0.0/12 -j DROP > -A Block -s 192.0.2.0/24 -j DROP > . > . > > This is my solution: > > -A INPUT -j Block > -A FORWARD -j Block > > -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Logger > -A Block -s 169.254.0.0/16 -j Logger > -A Block -s 172.16.0.0/12 -j Logger > -A Block -s 192.0.2.0/24 -j Logger > > Then in Logger it gets logged and dropped. > > I considered this, but was told the above is better. > > -A INPUT -j Block > -A FORWARD -j Block > > -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG > -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > -A Block -s 169.254.0.0/16 -j LOG > -A Block -s 169.254.0.0/16 -j DROP > -A Block -s 172.16.0.0/12 -j LOG > -A Block -s 172.16.0.0/12 -j DROP > . > . > > Is there a better way? Thanks again. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Thursday, January 6th, 2022 at 7:26 PM, Dan Ritter <d...@randomstring.org> > wrote: > >> linux_forum1 wrote: >> >> > Hello, I have 2 questions if that's OK. >> > >> > INPUT DROP >> > >> > FORWARD DROP >> > >> > OUTPUT DROP >> > >> > -N Block >> > >> > -N Logger >> > >> > -A INPUT -j Block >> > >> > -A Block -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j Logger >> > >> > -A Logger -j LOG --log-level 4 >> > >> > -A Logger -j DROP >> > >> > -A INPUT -i lo -j ACCEPT >> > >> > -A OUTPUT -o lo -j ACCEPT >> > >> > There will be more rules in Block, but I just want to understand the logic. >> > >> > 1.) How is -A INPUT -j Block possible before there are any rules appended >> > to Block, does that mean iptables first searches and assembles all rules >> > that belong to custom chains regardless of order? Same for Logger. >> >> Everything has an order. You can turn on line numbers and see >> >> the order. >> >> Creating a chain (Block, Logger) does not put it into order. >> >> The jump (-j) to Block, from INPUT, places the chain in order. >> >> I note that you don't have a rule in Block to actually drop >> >> packets, and you do have a rule in Logger that drops packets. >> >> That seems... problematic to me. >> >> > 2.) >> > >> > Would this be OK to log and drop all rules in in Block? >> > >> > I am worried because there are four jumps, INPUT -> Block -> Logger -> LOG >> > -> Logger -> DROP >> >> In general, you can jump as many times as you like as long as >> >> you don't go in a circle. Note that -j LOG continues processing >> >> on the next rule in order, unlike ACCEPT, DROP and REJECT. If a chain >> >> ends without ACCEPT, DROP or REJECT happening, then when it ends >> >> execution picks up at the next statement in order following the >> >> jump to that chain. >> >> Does that help? >> >> -dsr-
