在IPTable中记录丢弃的数据包? [英] Logging Dropped Packets in IPTables?

问题描述

我正在尝试从恶意IP地址记录一些丢弃的数据包到iptables中，而该IP地址一直在攻击我的服务器.

I'm trying to log some dropped packets in iptables from a malicious IP Address that keeps hitting my server.

所有来自该恶意IP的东西都被丢弃了，我再也看不到它在Web服务器日志中了，这是一件好事.使用tcpdump，我可以看到流量仍然来自该IP，并且我想将丢弃的数据包记录在iptables中，因为我知道它可以正常工作并且正在丢弃.

Everything that comes from this malicious IP is dropped and I don't see it in the web server logs anymore which is a good thing. Using tcpdump, I can see traffic still coming from this IP, and I would like to log the dropped packets in iptables, since I know it's working and they are being dropped.

我有一些iptables规则，但我不知道为什么记录无法正常工作.我确定我缺少什么.

I have some iptables rules, and I don't know why the logging is not working. I'm sure I'm missing something.

-A输入-m conntrack --ctstate相关，已确定-j接受

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A输入-i lo -j接受

-A INPUT -i lo -j ACCEPT

-A INPUT -m状态--state无效-j DROP

-A INPUT -m state --state INVALID -j DROP

-A输入-p tcp -m tcp --tcp-flags FIN，SYN FIN，SYN -j DROP

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

-A INPUT -p tcp -m tcp --tcp-flags SYN，RST SYN，RST -j DROP

-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A输入-s 80.82.65.0/24 -j DROP

-A输入-s 167.74.0.0/18 -j DROP

-A INPUT -s 167.74.0.0/18 -j DROP

-A输入-s 167.87.0.0/16 -j DROP

-A INPUT -s 167.87.0.0/16 -j DROP

-A输入-p tcp -m tcp --dport 22 -j接受

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A输入-p tcp -m tcp --dport 80 -j接受

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A输入-p tcp -m tcp --dport 443 -j接受

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A输入-j记录

-A FORWARD -m状态--state无效-j DROP

-A FORWARD -m state --state INVALID -j DROP

-A输出-p tcp -m tcp --dport 22 -j接受

-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -m状态--state无效-j DROP

-A OUTPUT -m state --state INVALID -j DROP

-A日志记录-s 80.82.65.0/24 -m限制--limit 5/min -j日志--log前缀"iptables丢弃的数据包" --log级别7

-A LOGGING -s 80.82.65.0/24 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped packets " --log-level 7

$ grep iptables/etc/rsyslog.conf

$ grep iptables /etc/rsyslog.conf

kern.debug/var/log/iptables.log

kern.debug /var/log/iptables.log

推荐答案

您的配置存在的问题是，指定应丢弃数据包的规则优先于指定应在LOGGING链中处理的规则，
iptables将数据包与第一个规则(DROP操作的规则)匹配后，它将停止搜索并且不会到达另一个规则.

The problem with your configuration is that the rule specifying that the packet should be dropped precedes the rule specifying that it should be dealt with in the LOGGING chain, where it would be logged.
Once iptables matches the packet with the first rule (that of the DROP action), it ceases its search and doesn't reach the other rule.

我将更改规则的顺序并按如下所示重写它们:

I would change the order of the rules and rewrite them as follows:

iptables -N LOGANDDROP
iptables -A INPUT -s 80.82.65.0/24 -j LOGANDDROP
iptables -A LOGANDDROP -m limit --limit 5/min -j LOG --log-prefix "iptables dropped packets " --log-level 7
iptables -A LOGANDDROP -j DROP

出于完整性考虑，我将建议一种替代解决方案，该解决方案不涉及创建新的临时链:

For the sake of completeness, I'll suggest an alternative solution, which doesn't involve creating a new ad hoc chain:

iptables -A INPUT -s 80.82.65.0/24 -m limit --limit 5/min -j LOG --log-prefix "iptables dropped packets " --log-level 7
iptables -A INPUT -s 80.82.65.0/24 -j DROP

此方法基于以下警告.如前所述，iptables的默认行为是查找与该程序包的第一个匹配项，一旦找到该匹配项，便停止其对其他匹配项的搜索.但是，此规则只有一个例外:

This approach builds upon the following caveat. As mentioned earlier, iptables default behavior is to look for the first match to the package in hand and once one is found, to halt its search for additional matches. However, there is a single exception to this rule:

• 与指定LOG操作的规则进行匹配不会导致iptables停止搜索其他适用的规则.

• Matching against a rule specifying a LOG action doesn't cause iptables to cease its search for other applicable rules.

尽管此解决方案较短，因此乍看之下似乎更具吸引力，但不建议这样做，因为它不那么健壮.一旦有多个源需要相同的处理，则应为每个新源复制这两条配置行(而不是在先前的解决方案中仅添加一行).而且，一旦完成，更改日志记录详细信息将需要更改多个规则(而不是先前解决方案中的单个规则).
我还认为，由于此解决方案依赖于上述注意事项，因此不易理解和理解，这是配置iptables时要考虑的重要因素，但这只是我个人的看法.

Although this solution is shorter and therefore might seem more attractive at first glance, it's not recommended since it is not as robust. Once there are multiple sources that require the same handling those two configuration lines shall be duplicated for each new source (instead of adding just a single line in the previous solution). Moreover, once that is made, changing the logging details would require changing multiple rules (rather than just a single one in the previous solution).
I also think that since this solution relies upon the aforementioned caveat, it is not as easy to follow and understand, which is an important factor to take into account when configuring iptables, but that's just my personal opinion.

注意-请参考此有用链接，以获取有关.

Note - refer to this useful link for a concise tutorial on iptables.

这篇关于在IPTable中记录丢弃的数据包?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！