Przeniesienie logow iptables do osobnego pliku.

[marcin1982]

Zainstaluj pakiet netfilter-persistent.
Włącz uruchamianie usługi przy starcie systemu:

Kod: Zaznacz cały

#  systemctl enable netfilter-persistent

Zatrzymaj swoją usługę firewall.service. Uruchom ręcznie skrypt - jeden raz. Zapisz istniejące reguły iptables do takiego pliku - takim poleceniem:

Kod: Zaznacz cały

#   iptables-save > /etc/iptables/rules.v4

Uruchom usługę netfilter:

Kod: Zaznacz cały

systemctl start netfilter-persistent

Sprawdź jakie reguły zostały zastosowane. Potem sprawdź czy prawidłowe reguły zostaną zastosowane po restarcie systemu.

Ponieważ usługa netfilter-persistent to skrypt init - za jej pomocą zapisać czy wyczyścić reguły:

Kod: Zaznacz cały

service netfilter-persistent save

[Matrixx]

Dziala, teraz jest przywolywany ten skrypt, ktory byc powinien, bardzo dziekuje za skuteczna pomoc.
Ad memoriam (moze komus sie przyda):
- wyznaczenie celow do realizacji dla iptables np:
( logowanie spamerow, skanerow, mozliwych polaczen lub pakietow.)
- utworzenie specyficznego suffixa do kazdego celu.
- zapewnienie zgodnosci nazw suffixow z dopasowaniami (zadnych dwukropkow (;-)
- odpowiednie zmiany w: pliku konfigu sysloga, pliku domyslnych regol logowania.
- zmienic uprawnienia plikom logow.
- ew zastosowac netfilter-persistent do wymuszenia korzystania uslugi firewalla z wlasciwego
skryptu konfiguracyjnego regol iptables.
Pozdrawiam.

[Matrixx]

Ten watek jest logiczna kontynuacja watku: viewtopic.php?f=5&t=34799
Ogolne dane systemu i aplikacji:

Kod: Zaznacz cały

root@robin-desktop:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.4 LTS
Release:	16.04
Codename:	xenial
root@robin-desktop:~# uname -r
4.15.0-33-generic
root@robin-desktop:~# rsyslogd -version
rsyslogd 8.16.0, compiled with:
	PLATFORM:				x86_64-pc-linux-gnu
	PLATFORM (lsb_release -d):		
	FEATURE_REGEXP:				Yes
	GSSAPI Kerberos 5 support:		Yes
	FEATURE_DEBUG (debug build, slow code):	No
	32bit Atomic operations supported:	Yes
	64bit Atomic operations supported:	Yes
	memory allocator:			system default
	Runtime Instrumentation (slow code):	No
	uuid support:				Yes
	Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.
root@robin-desktop:~# ps -A | grep rsyslog
18328 ?        00:00:00 rsyslogd
root@robin-desktop:~# rsyslogd -N1
rsyslogd: version 8.16.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ]
rsyslogd: error during parsing file /etc/rsyslog.d/tcpconnections.conf, on or before line 2: warnings occured in file '/etc/rsyslog.d/tcpconnections.conf' around line 2 [v8.16.0 try http://www.rsyslog.com/e/2207 ]

Uzyte prefixy iptables:

Kod: Zaznacz cały

ctstate INVALID,NEW LOG level warning prefix "indrop"
ctstate INVALID,NEW LOG level warning prefix "outdrop"

Plik /etc/rsyslog.conf (rsyslog configuration file)

Kod: Zaznacz cały

#  /etc/rsyslog.conf	Configuration file for rsyslog.
#
#			For more information see
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
module(load="immark")  # provides --MARK-- message capability

#provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
#

Plik /etc/rsyslog.d/50-default.com

Kod: Zaznacz cały

#  Default rules for rsyslog.
#
#			For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
:msg, contains, "indrop" -/var/log/indrop.log
& ~
#
:msg, contains, "outdrop" -/var/log/outdrop.log
& ~
#
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
#daemon.*			-/var/log/daemon.log
kern.*				-/var/log/messages
#iptables log 
kern.debug                      -/var/log/iptables.log
#lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
#user.*				-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info			-/var/log/mail.info
#mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err

#
# Logging for INN news system.
#
news.crit			/var/log/news/news.crit
news.err			/var/log/news/news.err
news.notice			-/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#	auth,authpriv.none;\
#	news.none;mail.none	-/var/log/debug
#*.=info;*.=notice;*.=warn;\
#	auth,authpriv.none;\
#	cron,daemon.none;\
#	mail,news.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#	news.=crit;news.=err;news.=notice;\
#	*.=debug;*.=info;\
#	*.=notice;*.=warn	/dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
	news.err;\
	*.=debug;*.=info;\
	*.=notice;*.=warn	|/dev/xconsole

Plik /etc/rsyslog.d/10-iptables.conf (custom rules for rsyslog)

Kod: Zaznacz cały

:msg, contains, "indrop" -/var/log/indrop.log
& stop

:msg, contains, "outdrop" -/var/log/outdrop.log
& stop

Dodam jeszcze, ze system markowania pakietow "prefix" dziala a dowod ponizej:

Kod: Zaznacz cały

Sep  1 20:40:10 robin-desktop kernel: [ 7847.662243] indropIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=32509 DF PROTO=UDP SPT=47980 DPT=53 LEN=39 
Sep  1 20:40:10 robin-desktop kernel: [ 7847.663218] outdropIN= OUT=lo SRC=127.0.0.1 DST=127.0.1.1 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=32510 DF PROTO=UDP SPT=42336 DPT=53 LEN=33 
Sep  1 20:40:10 robin-desktop kernel: [ 7847.663235] indropIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=32510 DF PROTO=UDP SPT=42336 DPT=53 LEN=33 
Sep  1 20:40:10 robin-desktop kernel: [ 7847.673861] outdropIN= OUT=lo SRC=127.0.0.1 DST=127.0.1.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=32512 DF PROTO=UDP SPT=41896 DPT=53 LEN=39 
Sep  1 20:40:10 robin-desktop kernel: [ 7847.673878] indropIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=32512 DF PROTO=UDP SPT=41896 DPT=53 LEN=39 
Sep  1 20:40:10 robin-desktop kernel: [ 7847.675087] outdropIN= OUT=lo SRC=127.0.0.1 DST=127.0.1.1 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=32513 DF PROTO=UDP SPT=33267 DPT=53 LEN=33 
Sep  1 20:40:10 robin-desktop kernel: [ 7847.675098] indropIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.1.1 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=32513 DF PROTO=UDP SPT=33267 DPT=53 LEN=33

Zalozeniem jest zapisywanie logow iptables wg prefiksow do odpowiednich plikow.
Niestety, mimo iz staralem sie zastosowac Wasze rady z podanego powyzej watku, pliki:
- indrop.log
- outdrop.log
pozostaja puste, mozecie pomoc w rozwiazaniu tego problemu ?
Pozdro.

[marcin1982]

Matrix

Połączyłem wątki - kontynuujmy w tym miejscu. Na przyszłość napisz PW, żeby odblokować dany wątek jeśli wystąpi taka sytuacja jak teraz.

[Matrixx]

O,k ale jak rozwiazac aktualny problem?
Markowanie pakietow za pomoca prefixa dziala normalnie, natomiast przekierowanie pakietow:
- z prefixem "indrop" do pliku loga "indrop.log"
- z prefixem "outdrop" do pliku loga "outdrop.log"
NIEE dziala !
Probowalem kilkunastu roznych konfigow dla:
- /etc/rsyslog.conf
- /etc/rsyslog.d/50-default.conf
- /etc/rsyslog.d/10-iptables.conf (custom)
Np, nie rozumiem dlaczego custom konfig nie moze byc w zmodyfikowanym default.config ?
Wlozylem tyle pracy, ze nie moge odpuscic.

[Morfik]

A jak dasz taką regułę, to też nie działa?

Kod: Zaznacz cały

if $msg contains 'indrop' then -/var/log/indrop.log
& stop

[Matrixx]

Ale w ktorym pliku to dac ?
- default ?
- custom ?
- obydwu ?
Dokumentacja rsysloga jest zroznicowana i nieprecyzyjna.

[Morfik]

w pliku /etc/rsyslog.conf masz

Kod: Zaznacz cały

....
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############
...

Więc albo se daj te reguły bezpośrednio w tym pliku tam gdzie jest sekcja RULES albo w tych plikach /etc/rsyslog.d/*.conf -- to nie ma znaczenia.

[Matrixx]

W Ubuntu 16.04 rsyslog.conf wyglada inaczej. https://raw.githubusercontent.com/rsysl ... yslog.conf

Kod: Zaznacz cały

#  /etc/rsyslog.conf	Configuration file for rsyslog.
#
#			For more information see
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

Wychodzi z tego, ze zmiany nalezy wprowadzic do pliku: /etc/rsyslog.d/50-default.conf
Tak wyglada plik po zmianie:

Kod: Zaznacz cały

#  Default rules for rsyslog.
#
#			For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
if $msg contains 'indrop' then -/var/log/indrop.log
& stop
#
if $msg contains 'outdrop' then -/var/log/outdrop.log
& stop
#
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
#daemon.*			-/var/log/daemon.log
kern.*				-/var/log/messages
#iptables log 
kern.debug                      -/var/log/iptables.log
#lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
#user.*				-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info			-/var/log/mail.info
#mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err

#
# Logging for INN news system.
#
news.crit			/var/log/news/news.crit
news.err			/var/log/news/news.err
news.notice			-/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#	auth,authpriv.none;\
#	news.none;mail.none	-/var/log/debug
#*.=info;*.=notice;*.=warn;\
#	auth,authpriv.none;\
#	cron,daemon.none;\
#	mail,news.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#	news.=crit;news.=err;news.=notice;\
#	*.=debug;*.=info;\
#	*.=notice;*.=warn	/dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
	news.err;\
	*.=debug;*.=info;\
	*.=notice;*.=warn	|/dev/xconsole

Restart rsysloga:

Kod: Zaznacz cały

root@robin-desktop:~# systemctl status rsyslog.service
● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: 
   Active: active (running) since Sun 2018-09-02 15:47:43 IST; 18s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 10407 (rsyslogd)
    Tasks: 11
   Memory: 1.3M
      CPU: 13ms
   CGroup: /system.slice/rsyslog.service
           └─10407 /usr/sbin/rsyslogd -n

Sep 02 15:47:43 robin-desktop systemd[1]: Starting System Logging Service...
Sep 02 15:47:43 robin-desktop systemd[1]: Started System Logging Service.

Niestety przekierowanie nie nastapilo; https://imgur.com/a/s2gRvtu

[Matrixx]

Nastepnego dnia przeinstalowalem rsysloga i zastosowalem regole podana powyzej przez Morfika.
Plik /etc/rsyslog.conf

Kod: Zaznacz cały

#  /etc/rsyslog.conf	Configuration file for rsyslog.
#
#			For more information see
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
module(load="immark")  # provides --MARK-- message capability

#provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
#

Plik /etc/rsyslog.d/50-default.conf

Kod: Zaznacz cały

#  Default rules for rsyslog.
#
#			For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
if $msg contains 'indrop' then -/var/log/indrop.log
& stop
#
if $msg contains 'outdrop' then -/var/log/outdrop.log
& stop
#
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
#daemon.*			-/var/log/daemon.log
kern.*				-/var/log/messages
#iptables log 
kern.debug                      -/var/log/iptables.log
#lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
#user.*				-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info			-/var/log/mail.info
#mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err

#
# Logging for INN news system.
#
news.crit			/var/log/news/news.crit
news.err			/var/log/news/news.err
news.notice			-/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#	auth,authpriv.none;\
#	news.none;mail.none	-/var/log/debug
#*.=info;*.=notice;*.=warn;\
#	auth,authpriv.none;\
#	cron,daemon.none;\
#	mail,news.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#	news.=crit;news.=err;news.=notice;\
#	*.=debug;*.=info;\
#	*.=notice;*.=warn	/dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
	news.err;\
	*.=debug;*.=info;\
	*.=notice;*.=warn	|/dev/xconsole

I Kernel pieknie rozdziela logi w/g prefiksow na dwa rozne pliki.
https://imgur.com/a/Lo4TvXh

Serdeczne podziekowania dla Morfika za bezbledna jak zwykle pomoc !

Pozdro.