Esta frase bien podría ser una cita Geek: “Registrar lo que pasa es de sabios…”, así que este apunte va de “log”. En el pasado usaba ULOG para analizar qué paquetes eran descartados por IPTABLES, pero como ULOG ha sido marcado como obsoleto en el Kernel, he cambiado mi configuración a NFLOG.
Configuración del kernel
Configurar lo siguiente en el Kernel:
1 2 3 4 5 6 | - CONFIG_NETFILTER_NETLINK_LOG=y # Log packets via NFNETLINK interface - CONFIG_NETFILTER_XT_TARGET_NFLOG=y # Enables NFLOG target (allows log through nfnetlink_log) - CONFIG_NETFILTER_XT_TARGET_LOG=y # Enables LOG target (allows log through syslog) OLD METHOD - CONFIG_IP_NF_TARGET_ULOG=n # "unset" OLD ULOG Target |
CONFIG_NETFILTER_NETLINK_LOG
Activamos la opción de hacer Logging a través de NFNETLINK, es la opción nueva que permitirá trabajar con el target NFLOG
1 2 3 4 5 6 7 8 9 | Symbol: NETFILTER_NETLINK_LOG [=y] Prompt: Netfilter LOG over NFNETLINK interface -> Networking support (NET [=y]) -> Networking options -> Network packet filtering framework (Netfilter) (NETFILTER [=y]) -> Core Netfilter Configuration {*} Netfilter LOG over NFNETLINK interface   |
CONFIG_NETFILTER_XT_TARGET_NFLOG
Target NFLOG, para que podamos usarlo con iptables.
1 2 3 4 5 6 7 8 9 10 | Symbol: NETFILTER_XT_TARGET_NFLOG [=m] Prompt: "NFLOG" target support -> Networking support (NET [=y]) -> Networking options -> Network packet filtering framework (Netfilter) (NETFILTER [=y]) -> Core Netfilter Configuration -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y]) <*> "NFLOG" target support |
CONFIG_NETFILTER_XT_TARGET_LOG
Se trata del método antiguo usado para hacer logging al SYSLOG. Ya no lo necesito, así que lo he desactivado:
1 2 3 4 5 6 7 8 9 10 | Symbol: NETFILTER_XT_TARGET_LOG [=y] Prompt: LOG target support -> Networking support (NET [=y]) -> Networking options -> Network packet filtering framework (Netfilter) (NETFILTER [=y]) -> Core Netfilter Configuration -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=y]) < > LOG target support |
CONFIG_NETFILTER_XT_TARGET_LOG (OBSOLETO)
Este es el antiguo ULOG, que al quedar obsoleto también he desactivado
1 2 3 4 5 6 7 8 9 10 | Symbol: IP_NF_TARGET_ULOG [=n] Prompt: ULOG target support (obsolete) -> Networking support (NET [=y]) -> Networking options -> Network packet filtering framework (Netfilter) (NETFILTER [=y]) -> IP: Netfilter Configuration -> IP tables support (required for filtering/masq/NAT) (IP_NF_IPTABLES [=y]) < > ULOG target support (obsolete) |
Programa ULOG
No olvides que tienes que instalar ULOG y configurarlo
1 2 | emerge -v ulogd |
Fichero de configuración:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | [global] logfile="/var/log/ulogd/ulogd.log" loglevel=5 plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so" plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so" plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so" plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so" plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so" plugin="/usr/lib64/ulogd/ulogd_output_XML.so" plugin="/usr/lib64/ulogd/ulogd_output_GPRINT.so" plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/lib64/ulogd/ulogd_inpflow_NFACCT.so" plugin="/usr/lib64/ulogd/ulogd_output_GRAPHITE.so" stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu2:LOGEMU stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu3:LOGEMU stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu4:LOGEMU : [log1] group=0 [log2] group=1 # Group has to be different from the one use in log1 [log3] group=2 # Group has to be different from the one use in log1/log2 numeric_label=1 # you can label the log info based on the packet verdict [log4] group=3 # Group has to be different from the one use in log1/log2 : [emu1] file="/var/log/ulogd/iptables_all.log" sync=1 [emu2] file="/var/log/ulogd/iptables_drop.log" sync=1 [emu3] file="/var/log/ulogd/iptables_dropblacklist.log" sync=1 [emu4] file="/var/log/ulogd/iptables_dnat.log" |
Ejemplo de uso con IPTABLES
Sección de un script donde añado una regla para hacer drop de ciertas IP’s de una supuesta blacklist:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | : # Prefijos que bloqueo de forma especifica export LOGDROPBLACKLIST="yes" export BLACKLIST=" 190.55.85.0/24 \ 190.55.95.0/24 \ 190.55.98.0/24 \ 95.211.100.0/24 \ 63.217.28.226 \ 194.179.126.151 \ 216.151.130.170 \ 62.109.4.89 \ 192.168.1.17 \ " : # === Creo el CHAIN "BlackList" para bloquear ciertas IP's... iptables -N BlackList : # === Redirigir al CHANIN paquetes con IP's del BlackList for blacklist in $BLACKLIST do iptables -A INPUT -s $blacklist -j BlackList iptables -A FORWARD -s $blacklist -j BlackList done : # === Hacer LOGGING de dichos paquetes if [ "${LOGBLACKLIST}" = "yes" ]; then iptables -A BlackList -j NFLOG --nflog-group 2 --nflog-prefix "BlackList -- DROP " fi # === Finalmente hacer DROP de los paquetes iptables -A BlackList -j DROP : ===== |
Mostrar logging
1 2 3 | tail -f /var/log/ulog/iptables_drop.log |
Leave a Reply