SnapGear 1.7.8 manual Creating Custom Log Rules

Page 101

Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0

That is, a packet arriving from the WAN (IN=eth1) and bound for the SnapGear appliance itself (OUT=<nothing>) from IP address 140.103.74.181 (SRC=140.103.74.181), attempting to go to port 139 (DPT=139, Windows file sharing) was dropped.

If the packet is traversing the SnapGear appliance to a server on the private network, the outgoing interface will be eth0, e.g.:

Mar 27 09:52:59 2003 klogd: IN=eth1 OUT=eth0 SRC=140.103.74.181 DST=10.0.0.2 LEN=60 TOS=0x10 PREC=0x00 TTL=62 ID=51683 DF PROTO=TCP SPT=47044 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Packets going from the private network to the public come in eth0, and out eth1, e.g.:

Mar 27 10:02:51 2003 klogd: IN=eth0 OUT=eth1 SRC=10.0.0.2 DST=140.103.74.181 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62830 DF PROTO=TCP SPT=46486 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Creating Custom Log Rules

Additional log rules can be configured to provide more detail if desired. For example, by analysing the rules in the Rules menu, it is possible to provide additional log messages with configurable prefixes (i.e. other than Default Deny:) for some allowed or denied protocols.

Depending on how the LOG rules are constructed it may be possible to differentiate between inbound (from WAN to LAN) and outbound (from LAN to WAN) traffic. Similarly, traffic attempting to access services on the SnapGear appliance itself can be differentiated from traffic trying to pass through it.

The examples below can be entered on the Command Line Interface (telnet), or into the Rules SnapGear Management Console web administration pages. Rules entered on the CLI are not permanent however, so while it may be useful for some quick testing, it is something to be wary of.

To log permitted inbound access requests to services hosted on the SnapGear appliance, the rule should look something like this:

98

Appendix B – System Log

Image 101

Contents Rev May 2nd Table of contents Virtual Private Networking Introduction Term Meaning TerminologyLAN TCP/IP Document conventionsStep Chapter Installing and configuring your SnapGear applianceLabel Activity Description Your SnapGear applianceLEDs SnapGear appliance back panels Network interconnections Software features SnapGear appliance featuresDial-in connection features Internet link featuresLAN link features Environmental features Getting started Static IP reset10.0.0.0 10.255.255.255 10/8 prefix New Networks192.168.0.0 192.168.0.255 192.168.0/24 prefix Configuring the SnapGear appliance on your network Page Set up IP addresses Multiple SnapGear appliances were found on the network Your SnapGear appliance was found on the networkYour SnapGear appliance needs an IP address SnapGear Management Console web administration pages Administrative passwordUsing linsetip Initial setup using LinuxPing -b subnet broadcast address Arp -a Using an existing local Dhcp or Bootp serverEdit the /etc/inetd.conf file Configuring a new local Dhcp or Bootp serverSnapGear Quick Setup LAN port quick setup LAN port quick setupISP connection quick setup ISP connection quick setupGetting started Configuring the PCs on your network TCP/IP properties Physically connect modem device Connecting to the InternetConnect to Internet Adsl Select Internet connectionConnect to Internet cable modem Connect to Internet modem Connect to Internet directField Description ISP. The Password and Confirm Password fields mustInternet failover Advanced configuration optionFollowing figure shows the failover configuration screen Failed connection Establishing the connection Configure PCs to use SnapGear appliance Internet gatewayDial-in server configuration Dial-in server configuration Dial-in setup Dial-in setupField Description Dial-in user account creation Dial-in user accountsFollowing figure shows the user maintenance screen Account list Dial-in password errorFor Windows 95 and Windows Remote user configurationServer types Connect to dialogue box WindowsClick Next to continue 11 Connection availability 13 Remote access login screen IP configuration Network configurationNetwork configuration Advanced IP configuration Advanced IP configurationNetwork configuration Dhcp server Dhcp server configurationNetwork configuration Additional routes Advanced networkingTraffic shaping Firewall Incoming accessIncoming access configuration Incoming access administration servicesConfigure external access to services External access to servicesPort forwarding Port forwarding configurationSecurity group classes configuration Outgoing accessFirewall rules Outgoing access settingsIntrusion detection and blocking Intrusion detection and blocking configurationPage Content filtering Content filtering Filtering Level Description Filtering levels and reportingVirtual Private Networking 1VPN tunneling using the Pptp serverPptp client setup Pptp client configuration Pptp server setup Pptp server setup Enable and configure the Pptp VPN serverField Description 4PPTP VPN server accounts screen Configuring user accounts for VPN serverVirtual Private Networking VPN Pptp IP address Configuring the remote VPN clientVirtual Private Networking Windows 95 and Windows VPN client setupYour VPN client is now set up correctly Windows NT Network and dial-up connections This displays the Destination Address window Connecting the remote VPN client 12 IPSec setup IPSec setup13 Add new IPSec connection Virtual Private Networking 14 Automatic keying setup Technique Description Aggressive mode phase 1 settingsIPSec interoperability Time server PasswordSystem Advanced DiagnosticsReset button Flash upgradeTechnical support Technical supportLED Pattern Status Action Appendix a LED status patternsAppendix B System Log Access LoggingEth0 Default DenyEth1 PppCreating Custom Log Rules Forward Iptables -I Forward -j LOG -i eth+ -o eth+ -p tcp Rate Limiting Administrative Access LoggingBoot Log Messages