Ticket #709 (closed Feature Request: fixed)

Opened 8 years ago

Last modified 3 years ago

Add the possibility to log iptables rules

Reported by: jean-philippe.menil@… Owned by:
Priority: normal Milestone: Gateway 1.1.5
Component: Gateway Version: Gateway SVN
Keywords: iptables log Cc:

Description

It can be usefull to log some traffic who's match some specific iptables rules. The following, is a simple patch to add a log rule in the FirewallRule?

diff -Naur wifidog/src/conf.c wifidog.2/src/conf.c --- wifidog/src/conf.c 2010-03-01 09:50:44.755611281 +0100 +++ wifidog.2/src/conf.c 2010-03-01 09:46:22.146625521 +0100 @@ -479,7 +479,7 @@

_parse_firewall_rule(const char *ruleset, char *leftover) {

int i;

- int block_allow = 0; /**< 0 == block, 1 == allow */ + int block_allow = 0; /**< 0 == block, 1 == allow, 2 == log */

int all_nums = 1; /**< If 0, port contained non-numerics */ int finished = 0; /**< reached end of line */ char *token = NULL; /**< First word */

@@ -506,9 +506,11 @@

block_allow = 0;

} else if (!strcasecmp(token, "allow")) {

block_allow = 1;

+ } else if (!strcasecmp(token, "log")) { + block_allow = 2;

} else {

debug(LOG_ERR, "Invalid rule type %s, expecting "

- "\"block\" or \"allow\"", token); + "\"block\",\"allow\" or \"log\"", token);

return -1;

}

diff -Naur wifidog/src/conf.h wifidog.2/src/conf.h --- wifidog/src/conf.h 2010-03-01 09:50:44.759610802 +0100 +++ wifidog.2/src/conf.h 2010-03-01 09:46:48.095609891 +0100 @@ -93,7 +93,7 @@

  • Firewall rules */

typedef struct _firewall_rule_t {

- int block_allow; /**< @brief 1 = Allow rule, 0 = Block rule */ + int block_allow; /**< @brief 0 = Block rule, 1 = Allow rule, 2 = Log Rule */

char *protocol; /**< @brief tcp, udp, etc ... */ char *port; /**< @brief Port to block/allow */ char *mask; /**< @brief Mask for the rule *destination* */

diff -Naur wifidog/src/fw_iptables.c wifidog.2/src/fw_iptables.c --- wifidog/src/fw_iptables.c 2010-03-01 09:50:44.743610927 +0100 +++ wifidog.2/src/fw_iptables.c 2010-03-01 09:48:09.879611316 +0100 @@ -143,9 +143,10 @@

if (rule->block_allow == 1) {

mode = safe_strdup("ACCEPT");

+ } else if (rule->block_allow == 2) { + mode = safe_strdup("LOG");

} else {

- mode = safe_strdup("REJECT"); - } + mode = safe_strdup("REJECT");}

snprintf(command, sizeof(command), "-t %s -A %s ",table, chain); if (rule->mask != NULL) {

diff -Naur wifidog/wifidog.conf wifidog.2/wifidog.conf --- wifidog/wifidog.conf 2010-03-01 09:50:44.963610868 +0100 +++ wifidog.2/wifidog.conf 2010-03-01 09:56:58.559610257 +0100 @@ -184,11 +184,20 @@

# FirewallRule? block to 192.168.0.0/16 # FirewallRule? block to 172.16.0.0/12 # FirewallRule? block to 10.0.0.0/8

- +

## This is an example ruleset for the Teliphone service. #FirewallRule? allow udp to 69.90.89.192/27 #FirewallRule? allow udp to 69.90.85.0/27 #FirewallRule? allow tcp port 80 to 69.90.89.205

+ + ## Use the following to log the traffic you want to allow or block. + # Note: the log rule must be passed before, the rule you want to match. + # For example, you want to log the traffic allowed on port 80 to the ip 69.90.89.205: + #FirewallRule? log tcp port 80 to 69.90.89.205 + #FirewallRule? allow tcp port 80 to 69.90.89.205 + # And you want to know, who matche your block rule: + #FirewallRule? log to 0.0.0.0/0 + #FirewallRule? block to 0.0.0.0/0

}

# Rule Set: validating-users

Change History

Changed 8 years ago by teddy

Good idea

Changed 8 years ago by teddy

I will go even further by also adding ulog

noted in the file wifidog.conf that the use of these feature requires modules ipt_LOG or ipt_LOG present in dependencies iptables-mod-extra and iptables-mod-ulog

sorry for my bad englisgh

teddy

Changed 3 years ago by benoitg

  • status changed from new to closed
  • resolution set to fixed
Note: See TracTickets for help on using tickets.