iptables not working and not logging

i never been so frustrated. :( well i should admin that i am a newbie
to firewalls/iptables. :)

i habve been trying to work with iptables using linux rh9.0
and it just doesnt seem to work.


i have my iptables setup as follows

*filter
:INPUT ACCEPT [587:36704]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [377:23362]
[512:85124] -A INPUT -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -s 192.168.1.5 -p tcp -m tcp --dport 23 -j ACCEPT
[0:0] -A INPUT -j LOG --log-level info
[0:0] -A FORWARD -j REJECT --reject-with icmp-port-unreachable
[121:10604] -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

as you can see this is the iptables file
now it blocks everything ie INPUT, OUTPUT, FORWARD
but INPUT for --dport 23 is enabled

but this doesnt work
also the logging just doesnt work. ie. nothing gets logged of
firewalls anywhere.

what could be wrong.

[followup-to set]
In article <6b07a80.0308220257.2eff3c31@posting.google.com> , DukeNM wrote:
> i never been so frustrated. :( well i should admin that i am a newbie
> to firewalls/iptables. :)

Did you read the Packet Filtering HOWTO at www.netfilter.org? How about
"man iptables"? Granted, it's not easy to get your mind around all the
concepts, but fortunately your problem is simple.

> *filter
>:INPUT ACCEPT [587:36704]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [377:23362]
> [512:85124] -A INPUT -j REJECT --reject-with icmp-port-unreachable

That's the first rule. Everything that comes to the INPUT chain will
match it since there's no restriction. Nothing goes past it.

> [0:0] -A INPUT -s 192.168.1.5 -p tcp -m tcp --dport 23 -j ACCEPT
> [0:0] -A INPUT -j LOG --log-level info

See those packet counters?

> [0:0] -A FORWARD -j REJECT --reject-with icmp-port-unreachable

This box is apparently not positioned as a router. No FORWARD packets.

> [121:10604] -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

Nothing gets out, either. :)

> now it blocks everything ie INPUT, OUTPUT, FORWARD

Very secure that way! ;)

> but INPUT for --dport 23 is enabled

Not when a REJECT rule comes first!

BTW, why telnet? These days most distros do not even enable it. ssh/sshd
is far more capable and secure, and there are clients for every OS.

> what could be wrong.

I suggest a ready-made script like MonMotha's Firewall until such time
as iptables begins to make sense. Follow the comments and edit it (you
at least have to specify the external interface name IIRC.) Run it, then
save your rules using "iptables-save > /etc/sysconfig/iptables".
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

tridentadm@netscape.net (DukeNM) wrote in message news:<6b07a80.0308220257.2eff3c31@posting.google.c om>...
> i never been so frustrated. :( well i should admin that i am a newbie
> to firewalls/iptables. :)

I've been there, and I still consider myself a rookie with iptables.

I think rules are processed in the order they're listed. So, since
the first one is to reject everything, that's what happens.

What you need to start with is function definitions, including a
logging def, then your access rules, then your restriction rules. To
log, you need a rule that does the logging, then another rule after it
that does the rejecting.

To fix mine, I went to www.netfilter.org, looked at their docs for NAT
(which was my goal) and just tailored their examples to suit my needs
(IP addressing, modem type, etc.). I kept the rules in the same order
they had, and it worked flawlessly first time.

Good Luck

> I've been there, and I still consider myself a rookie with iptables.
>
> I think rules are processed in the order they're listed. So, since
> the first one is to reject everything, that's what happens.
>
> What you need to start with is function definitions, including a
> logging def, then your access rules, then your restriction rules. To
> log, you need a rule that does the logging, then another rule after it
> that does the rejecting.
>
> To fix mine, I went to www.netfilter.org, looked at their docs for NAT
> (which was my goal) and just tailored their examples to suit my needs
> (IP addressing, modem type, etc.). I kept the rules in the same order
> they had, and it worked flawlessly first time.
>
> Good Luck


thx, a lot for your help.
I really didnt know that the rules where acccording to order of
logs
allow
deny

i kinda guessed it based on ipchains and even apache that probably it
would be deny'ing the not-wanted-ones first and then allow'ing the
wanted-ones next.

but seems here its vice-versa. prety kewl. no harm done.

thx. for help. i will try this way now.

> What you need to start with is function definitions, including a
> logging def,

Logging level.
Could someone tell me, what the logging level should be??

i saw in the iptables-tutorial that the logging level is debug
somewhere below it says kern.=info

now what does that mean??
is it kern.info
or
is it kern.debug

someother newsgroups i read i even saw that some mentioned some parts
of iptables go in *.warn ??

correct me if i m wrong debug is lower level than info.

DukeNM wrote:
>>What you need to start with is function definitions, including a
>>logging def,
>
>
> Logging level.
> Could someone tell me, what the logging level should be??
>
> i saw in the iptables-tutorial that the logging level is debug
> somewhere below it says kern.=info
>
> now what does that mean??
> is it kern.info
> or
> is it kern.debug
>
> someother newsgroups i read i even saw that some mentioned some parts
> of iptables go in *.warn ??
>
> correct me if i m wrong debug is lower level than info.

Man syslogd and man syslog.conf will tell You everything.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

> >
> > correct me if i m wrong debug is lower level than info.
>
> Man syslogd and man syslog.conf will tell You everything.
>
>
> Cheers, Jack.

wel, jack, no hard-feelings but even i know the mans for syslog. (and
but obviously have gone through them)
but the reason why i ask is cause i m a bit confused.