Logging Dropped Incoming Packets

Any packet matching a rule can be logged by using the -j LOG target. Logging a packet has no effect on the packet's disposition, however. The packet must match an accept or drop rule. Some of the rules presented previously had logging enabled, before matching the packet a second time to drop it. Some of the IP address spoofing rules are examples.

Rules can be defined for the explicit purpose of logging certain kinds of packets. Most typically, packets of interest are suspicious packets indicating some sort of probe or scan. Because all packets are denied by default, if logging is desired for certain packet types, explicit rules must be defined before the packet falls off the end of the chain and the default policy takes effect. Essentially, out of all the denied packets, you might be interested in logging some of them, using rate-limited logging for some, and silently dropping others.

Which packets are logged is an individual matter. Some people want to log all dropped packets. For other people, logging all dropped packets could soon overflow their system logs. Some people, secure in the knowledge that the packets are dropped, don't care about them and don't want to know about them. Other people are interested in the obvious port scans or in some particular packet type.

Because of the first-matching-rule-wins behavior, you could log all dropped incoming packets with a single rule. The assumption here is that all packet-matching acceptance rules have been tested, and the packet is about to drop off the end of the chain and be thrown away:

 $IPT -A INPUT -i $INTERNET -j LOG 

For some people, this will produce too many log entriesor too many uninteresting log entries. For example, you might want to log all dropped incoming ICMP traffic with the exception of ping because it is a common service, regardless of whether your site responds to ping requests:

 $IPT -A INPUT -i $INTERNET -p icmp \          --icmp-type ! 8 -d $IPADDR -j LOG 

You might want to log dropped incoming TCP traffic to all ports and log dropped incoming UDP traffic to your privileged ports:

 $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR -j LOG $IPT -A INPUT -i $INTERNET -p udp \          -d $IPADDR --dport $PRIVPORTS -j LOG 

Then again, you might want to log all dropped privileged port access, with the exception of commonly probed ports that you don't offer service on anyway:

 $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR --dport 0:19 -j LOG # skip ftp, telnet, ssh $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR --dport 24 -j LOG # skip smtp $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR --dport 26:78 -j LOG # skip finger, www $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR --dport 81:109 -j LOG # skip pop-3, sunrpc $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR --dport 112:136 -j LOG # skip NetBIOS $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR --dport 140:142 -j LOG # skip imap $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR --dport 144:442 -j LOG # skip secure_web/SSL $IPT -A INPUT -i $INTERNET -p tcp \          -d $IPADDR --dport 444:65535 -j LOG #UDP rules $IPT -A INPUT -i $INTERNET -p udp \          -d $IPADDR --dport 0:110 -j LOG # skip sunrpc $IPT -A INPUT -i $INTERNET -p udp \          -d $IPADDR --dport 112:160 -j LOG # skip snmp $IPT -A INPUT -i $INTERNET -p udp \          -d $IPADDR --dport 163:634 -j LOG # skip NFS mountd $IPT -A INPUT -i $INTERNET -p udp \          -d $IPADDR --dport 636:5631 -j LOG # skip pcAnywhere $IPT -A INPUT -i $INTERNET -p udp \          -d $IPADDR --dport 5633:31336 -j LOG # skip traceroute's default ports $IPT -A INPUT -i $INTERNET -p udp \          --sport $TRACEROUTE_SRC \          -d $IPADDR --dport $TRACEROUTE_DEST -j LOG # skip the rest $IPT -A INPUT -i $INTERNET -p udp \          -d $IPADDR --dport 33434:65535 -j LOG