diff --git a/conf/logging_ipv4.conf b/conf/logging_ipv4.conf index e653972..8867def 100644 --- a/conf/logging_ipv4.conf +++ b/conf/logging_ipv4.conf @@ -4,6 +4,18 @@ # --- Logging # ============= +if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then + tag_log_prefix="--nflog-prefix" + LOG_TARGET="NFLOG --nflog-group 11" +else + # - Log using the specified syslog level. 7 (debug) is a good choice + # - unless you specifically need something else. + # - + log_level=debug + LOG_TARGET="LOG --log-level $log_level" + tag_log_prefix="--log-prefix" +fi + log_all=false log_syn_flood=false @@ -19,7 +31,7 @@ log_blocked=false log_unprotected=false log_prohibited=false log_voip=false -log_rejected=false +log_rejected=true log_ssh=false diff --git a/conf/logging_ipv6.conf b/conf/logging_ipv6.conf index a024215..5c04e42 100644 --- a/conf/logging_ipv6.conf +++ b/conf/logging_ipv6.conf @@ -4,6 +4,18 @@ # --- Logging # ============= +if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then + tag_log_prefix="--nflog-prefix" + LOG_TARGET="NFLOG --nflog-group 12" +else + # - Log using the specified syslog level. 7 (debug) is a good choice + # - unless you specifically need something else. + # - + log_level=debug + LOG_TARGET="LOG --log-level $log_level" + tag_log_prefix="--log-prefix" +fi + log_all=false log_syn_flood=false @@ -19,7 +31,7 @@ log_blocked=false log_unprotected=false log_prohibited=false log_voip=false -log_rejected=false +log_rejected=true log_ssh=false diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 0bd59a8..8f7ae2c 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -200,10 +200,10 @@ echo echononl "\tLog given IP Addresses" if [[ ${#log_ip_arr[@]} -gt 0 ]]; then for _ip in ${log_ip_arr[@]} ; do - $ip6t -A INPUT -s $_ip -j LOG --log-prefix "$_ip IN: " --log-level $log_level - $ip6t -A OUTPUT -d $_ip -j LOG --log-prefix "$_ip OUT: " --log-level $log_level - $ip6t -A FORWARD -s $_ip -j LOG --log-prefix "$_ip FORWARD FROM: " --log-level $log_level - $ip6t -A FORWARD -d $_ip -j LOG --log-prefix "$_ip FORWARD TO: " --log-level $log_level + $ip6t -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "$_ip IN: " + $ip6t -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "$_ip OUT: " + $ip6t -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$_ip FORWARD FROM: " + $ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$_ip FORWARD TO: " done echo_done @@ -256,11 +256,11 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then echononl "\tPass through Devices (not firewalled)" for _dev in ${unprotected_if_arr[@]} ; do if $log_unprotected || $log_all ; then - $ip6t -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ip6t -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " + $ip6t -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ip6t -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " + $ip6t -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " fi fi $ip6t -A INPUT -i $_dev -j ACCEPT @@ -288,9 +288,9 @@ echononl "\tBlock IPs / Networks / Interfaces.." for _ip in $blocked_ips ; do for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then - $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " fi fi $ip6t -A INPUT -i $_dev -s $_ip -j DROP @@ -308,11 +308,11 @@ done for _if in ${blocked_if_arr[@]} ; do if $log_blocked_if || $log_all ; then if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level - $ip6t -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " + $ip6t -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " fi - $ip6t -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level - $ip6t -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ip6t -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " + $ip6t -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " fi if $kernel_forward_between_interfaces ; then $ip6t -A FORWARD -i $_if -j DROP @@ -360,7 +360,7 @@ if $protect_against_several_attacks ; then $ip6t -N syn-flood $ip6t -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN if $log_syn_flood || $log_all ; then - $ip6t -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level + $ip6t -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: " fi $ip6t -A syn-flood -j DROP @@ -370,10 +370,10 @@ if $protect_against_several_attacks ; then # --- if $log_new_not_sync || $log_all ; then - $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level - $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " + $ip6t -A OUTPUT -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + $ip6t -A FORWARD -p tcp ! --syn -m state --state NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " fi fi $ip6t -A INPUT -p tcp ! --syn -m state --state NEW -j DROP @@ -388,9 +388,9 @@ if $protect_against_several_attacks ; then # --- if $log_invalid_state || $log_all ; then - $ip6t -A INPUT -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + $ip6t -A INPUT -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -m state --state INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + $ip6t -A FORWARD -m state --state INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " fi fi $ip6t -A INPUT -m state --state INVALID -j DROP @@ -405,13 +405,13 @@ if $protect_against_several_attacks ; then for _dev in ${ext_if_arr[@]} ; do if $log_invalid_flags || $log_all ; then - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ip6t -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ip6t -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " fi fi $ip6t -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP @@ -432,9 +432,9 @@ if $protect_against_several_attacks ; then # - Refuse spoofed packets pretending to be from your IP address. if $log_spoofed || $log_all ; then for _ip in ${ext_ip_arr[@]} ; do - $ip6t -A INPUT -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + $ip6t -A INPUT -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -s $_ip -d $_ip -j LOG --log-prefix "$log_prefix Spoofed (own ip): " --log-level $log_level + $ip6t -A FORWARD -s $_ip -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofed (own ip): " fi done fi @@ -449,11 +449,11 @@ if $protect_against_several_attacks ; then # - private Adressen auf externen interface verwerfen for _dev in ${dsl_device_arr[@]} ; do if $log_spoofed || $log_all ; then - $ip6t -A INPUT -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level - $ip6t -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + $ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " + $ip6t -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " if $kernel_forward_between_interfaces ; then - $ip6t -A FORWARD -i $_dev -s $ula_block -j LOG --log-prefix "$log_prefix Private (ula_block): " --log-level $log_level - $ip6t -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix (loopback): " --log-level $log_level + $ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): " + $ip6t -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): " fi fi $ip6t -A INPUT -i $_dev -s $ula_block -j DROP @@ -483,11 +483,11 @@ fi if $log_voip || $log_all ; then for _ip in ${tel_sys_ip_arr[@]} ; do - $ip6t -A FORWARD -d $_ip -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level + $ip6t -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] " done fi #for _PORT in ${VOIP_PORTS} ; do -# $ip6t -A FORWARD -p udp --sport $_PORT -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level +# $ip6t -A FORWARD -p udp --sport $_PORT -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] " #done @@ -563,13 +563,13 @@ echononl "\tDrop packets not wanted on gateway" for _dev in ${local_if_arr[@]} ; do if $log_not_wanted || $log_all ; then if $not_wanted_ident ; then - $ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " fi for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do - $ip6t -A INPUT -i $_dev -p tcp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p tcp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " done for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do - $ip6t -A INPUT -i $_dev -p udp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + $ip6t -A INPUT -i $_dev -p udp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " done fi if $not_wanted_ident ; then @@ -595,23 +595,23 @@ echononl "\tGenerally prohibited from WAN" for _dev in ${ext_if_arr[@]} ; do if $log_prohibited || $log_all ; then if $block_ident ; then - $ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " fi for _port in ${block_tcp_port_arr[@]} ; do - $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done for _port in ${block_udp_port_arr[@]} ; do - $ip6t -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done if $kernel_forward_between_interfaces ; then if $block_ident ; then - $ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " fi for _port in ${block_tcp_port_arr[@]} ; do - $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done for _port in ${block_udp_port_arr[@]} ; do - $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ip6t -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done fi fi @@ -3877,7 +3877,7 @@ if $kernel_forward_between_interfaces ; then for _dev_1 in ${local_if_arr[@]} ; do for _dev_2 in ${local_if_arr[@]} ; do if $log_rejected || $log_all ; then - $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -j LOG --log-prefix "$log_prefix Rejected local NET: " --log-level $log_level + $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected local NET: " fi $ip6t -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP done @@ -3898,12 +3898,12 @@ echo echononl "\tLog traffic not matched so far.." if $log_rejected || $log_all ; then - $ip6t -A OUTPUT -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level - $ip6t -A INPUT -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level - $ip6t -A FORWARD -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level - #$ip6t -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level - #$ip6t -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level - #$ip6t -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level + $ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " + $ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " + $ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " + #$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " + #$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " + #$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " echo_done else echo_skipped diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 638889b..230f68b 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -305,10 +305,10 @@ echo echononl "\tLog given IP Addresses" if [[ ${#log_ip_arr[@]} -gt 0 ]]; then for _ip in ${log_ip_arr[@]} ; do - $ipt -A INPUT -s $_ip -j LOG --log-prefix "IPv4: $_ip IN: " --log-level $log_level - $ipt -A OUTPUT -d $_ip -j LOG --log-prefix "IPv4: $_ip OUT: " --log-level $log_level - $ipt -A FORWARD -s $_ip -j LOG --log-prefix "IPv4: $_ip FORWARD FROM: " --log-level $log_level - $ipt -A FORWARD -d $_ip -j LOG --log-prefix "IPv4: $_ip FORWARD TO: " --log-level $log_level + $ipt -A INPUT -s $_ip -j $LOG_TARGET $tag_log_prefix "IPv4: $_ip IN: " + $ipt -A OUTPUT -d $_ip -j $LOG_TARGET $tag_log_prefix "IPv4: $_ip OUT: " + $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "IPv4: $_ip FORWARD FROM: " + $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "IPv4: $_ip FORWARD TO: " done echo_done @@ -541,11 +541,11 @@ if [[ ${#unprotected_if_arr[@]} -gt 0 ]]; then echononl "\tPass through Devices (not firewalled)" for _dev in ${unprotected_if_arr[@]} ; do if $log_unprotected || $log_all ; then - $ipt -A INPUT -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ipt -A OUTPUT -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A INPUT -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " + $ipt -A OUTPUT -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level - $ipt -A FORWARD -o $_dev -j LOG --log-prefix "$log_prefix Not firewalled ${_dev}: " --log-level $log_level + $ipt -A FORWARD -i $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " + $ipt -A FORWARD -o $_dev -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled ${_dev}: " fi fi $ipt -A INPUT -i $_dev -j ACCEPT @@ -573,9 +573,9 @@ echononl "\tBlock IPs / Networks / Interfaces.." for _ip in $blocked_ips ; do for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then - $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " fi fi $ipt -A INPUT -i $_dev -s $_ip -j DROP @@ -593,11 +593,11 @@ done for _if in ${blocked_if_arr[@]} ; do if $log_blocked_if || $log_all ; then if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level - $ipt -A FORWARD -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A FORWARD -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " + $ipt -A FORWARD -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " fi - $ipt -A INPUT -i $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level - $ipt -A OUTPUT -o $_if -j LOG --log-prefix "$log_prefix Blocked IF ${_if}: " --log-level $log_level + $ipt -A INPUT -i $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " + $ipt -A OUTPUT -o $_if -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked IF ${_if}: " fi if $kernel_activate_forwarding ; then $ipt -A FORWARD -i $_if -j DROP @@ -765,9 +765,9 @@ if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then for _dev in ${ext_if_arr[@]} ; do if $log_blocked_ip || $log_all ; then - $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked ${_ip}: " fi fi $ipt -A INPUT -i $_dev -s $_ip -j DROP @@ -827,7 +827,7 @@ if $protect_against_several_attacks ; then $ipt -N syn-flood $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN if $log_syn_flood || $log_all ; then - $ipt -A syn-flood -j LOG --log-prefix "$log_prefix SYN flood: " --log-level $log_level + $ipt -A syn-flood -j $LOG_TARGET $tag_log_prefix "$log_prefix SYN flood: " fi $ipt -A syn-flood -j DROP @@ -845,9 +845,9 @@ if $protect_against_several_attacks ; then for _dev in ${ext_if_arr[@]} ; do if $log_fragments || $log_all ; then - $ipt -A INPUT -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + $ipt -A INPUT -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: " if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -f -j LOG --log-prefix "$log_prefix IPTABLES FRAGMENTS: " --log-level $log_level + $ipt -A FORWARD -i $_dev -f -j $LOG_TARGET $tag_log_prefix "$log_prefix IPTABLES FRAGMENTS: " fi fi $ipt -A INPUT -i $_dev -f -j DROP @@ -862,10 +862,10 @@ if $protect_against_several_attacks ; then # --- #if $log_new_not_sync || $log_all ; then - # $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level - # $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + # $ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " + # $ipt -A OUTPUT -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " # if $kernel_activate_forwarding ; then - # $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "$log_prefix New but not SYN: " --log-level $log_level + # $ipt -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j $LOG_TARGET $tag_log_prefix "$log_prefix New but not SYN: " # fi #fi #$ipt -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP @@ -880,9 +880,9 @@ if $protect_against_several_attacks ; then # --- #if $log_invalid_state || $log_all ; then - # $ipt -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + # $ipt -A INPUT -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " # if $kernel_activate_forwarding ; then - # $ipt -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "$log_prefix Invalid state: " --log-level $log_level + # $ipt -A FORWARD -m conntrack --ctstate INVALID -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid state: " # fi #fi #$ipt -A INPUT -m conntrack --ctstate INVALID -j DROP @@ -897,13 +897,13 @@ if $protect_against_several_attacks ; then for _dev in ${ext_if_arr[@]} ; do if $log_invalid_flags || $log_all ; then - $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ipt -A INPUT -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level - $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "$log_prefix Invalid flags: " --log-level $log_level + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,FIN SYN,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " + $ipt -A FORWARD -i $_dev -p tcp --tcp-flags SYN,RST SYN,RST -j $LOG_TARGET $tag_log_prefix "$log_prefix Invalid flags: " fi fi $ipt -A INPUT -i $_dev -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP @@ -931,22 +931,22 @@ if $protect_against_several_attacks ; then # broadcast address for _dev in ${dsl_device_arr[@]} ; do if $log_spoofed || $log_all ; then - $ipt -A INPUT -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level - $ipt -A INPUT -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level - #$ipt -A INPUT -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " + $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " + $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " + $ipt -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " + $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " + $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " + #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " # if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix Class A private net: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix Class B private net: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix Class C private net: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $loopback -j LOG --log-prefix "$log_prefix From Loopback: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $class_d_multicast -j LOG --log-prefix "$log_prefix Class D Multicast: " --log-level $log_level - $ipt -A FORWARD -i $_dev -s $class_e_reserved -j LOG --log-prefix "$log_prefix Class E reserved: " --log-level $log_level - #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j LOG --log-prefix "$log_prefix Broadcast Address: " --log-level $log_level + $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net: " + $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net: " + $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net: " + $ipt -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback: " + $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast: " + $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved: " + #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address: " fi fi # Refuse packets claiming to be from a Class A private network. @@ -991,9 +991,9 @@ if $protect_against_several_attacks ; then # quench to the loopback. for _dev in ${ext_if_arr[@]} ; do if $log_to_lo || $log_all ; then - $ipt -A INPUT -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + $ipt -A INPUT -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: " if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -d $loopback -j LOG --log-prefix "$log_prefix To Loopback: " --log-level $log_level + $ipt -A FORWARD -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback: " fi fi $ipt -A INPUT -i $_dev -d $loopback -j DROP @@ -1009,10 +1009,10 @@ if $protect_against_several_attacks ; then for _dev in ${dsl_device_arr[@]} ; do if $log_spoofed_out || $log_all ; then - $ipt -A OUTPUT -o $_dev -s $priv_class_a -j LOG --log-prefix "$log_prefix out Class A: " --log-level $log_level - $ipt -A OUTPUT -o $_dev -s $priv_class_b -j LOG --log-prefix "$log_prefix out Class B: " --log-level $log_level - $ipt -A OUTPUT -o $_dev -s $priv_class_c -j LOG --log-prefix "$log_prefix out Class C: " --log-level $log_level - $ipt -A OUTPUT -o $_dev -s $loopback -j LOG --log-prefix "$log_prefix out Loopback: " --log-level $log_level + $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A: " + $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B: " + $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C: " + $ipt -A OUTPUT -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback: " fi $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP @@ -1032,11 +1032,11 @@ fi if $log_voip || $log_all ; then for _ip in ${tel_sys_ip_arr[@]} ; do - $ipt -A FORWARD -d $_ip -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level + $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] " done fi #for _PORT in ${VOIP_PORTS} ; do -# $ipt -A FORWARD -p udp --sport $_PORT -j LOG --log-prefix "$log_prefix [VoIP] " --log-level $log_level +# $ipt -A FORWARD -p udp --sport $_PORT -j $LOG_TARGET $tag_log_prefix "$log_prefix [VoIP] " #done @@ -1112,13 +1112,13 @@ echononl "\tDrop packets not wanted on gateway" for _dev in ${local_if_arr[@]} ; do if $log_not_wanted || $log_all ; then if $not_wanted_ident ; then - $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " fi for _port in ${not_wanted_on_gw_tcp_port_arr[@]} ; do - $ipt -A INPUT -i $_dev -p tcp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + $ipt -A INPUT -i $_dev -p tcp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " done for _port in ${not_wanted_on_gw_udp_port_arr[@]} ; do - $ipt -A INPUT -i $_dev -p udp --dport $_port -j LOG --log-prefix "$log_prefix not wanted: " --log-level $log_level + $ipt -A INPUT -i $_dev -p udp --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix not wanted: " done fi if $not_wanted_ident ; then @@ -1144,23 +1144,23 @@ echononl "\tGenerally prohibited from WAN" for _dev in ${ext_if_arr[@]} ; do if $log_prohibited || $log_all ; then if $block_ident ; then - $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A INPUT -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " fi for _port in ${block_tcp_port_arr[@]} ; do - $ipt -A INPUT -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A INPUT -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done for _port in ${block_udp_port_arr[@]} ; do - $ipt -A INPUT -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A INPUT -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done if $kernel_activate_forwarding ; then if $block_ident ; then - $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A FORWARD -p tcp -i $_dev --dport $standard_ident_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " fi for _port in ${block_tcp_port_arr[@]} ; do - $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A FORWARD -p tcp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done for _port in ${block_udp_port_arr[@]} ; do - $ipt -A FORWARD -p udp -i $_dev --dport $_port -j LOG --log-prefix "$log_prefix gen. prohibited: " --log-level $log_level + $ipt -A FORWARD -p udp -i $_dev --dport $_port -j $LOG_TARGET $tag_log_prefix "$log_prefix gen. prohibited: " done fi fi @@ -4590,7 +4590,7 @@ if $kernel_activate_forwarding ; then for _dev_1 in ${local_if_arr[@]} ; do for _dev_2 in ${local_if_arr[@]} ; do if $log_rejected || $log_all ; then - $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -j LOG --log-prefix "$log_prefix Rejected local NET: " --log-level $log_level + $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected local NET: " fi $ipt -A FORWARD -i $_dev_1 -o $_dev_2 -p ALL -m conntrack --ctstate NEW -j DROP done @@ -4611,12 +4611,12 @@ echo echononl "\tLog traffic not matched so far.." if $log_rejected || $log_all ; then - $ipt -A OUTPUT -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level - $ipt -A INPUT -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level - $ipt -A FORWARD -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level - #$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix OUT Rejected: " --log-level $log_level - #$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix IN Rejected: " --log-level $log_level - #$ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "$log_prefix FORWARD Rejected: " --log-level $log_level + $ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " + $ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " + $ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " + #$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix OUT Rejected: " + #$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix IN Rejected: " + #$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix FORWARD Rejected: " echo_done else echo_skipped