iptables 로그인 SSH

iptables 로그인 SSH

다음과 같은 iptables 규칙이 적용되어 있으며 로그인을 볼 수 있습니다./var/log/messages

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 1/min -j LOG --log-prefix "Just-a-LOG: " --log-level 4

그러나 다음(누군가 SSH를 사용하여 연결을 시도할 때 로깅에 사용됨)은 작동하지 않습니다.

iptables -N LOGGING
iptables -A INPUT -p tcp --dport 19600 -m state --state NEW -j LOGGING
iptables -A LOGGING -j LOG --log-prefix "Just-a-LOG: " --log-level 4

또한 다음과 같이 ip6tables를 시작했습니다.

systemctl enable ip6tables
systemctl start ip6tables

그리고 다음 규칙을 추가했습니다.

ip6tables -N LOGGING
ip6tables -A INPUT -p tcp --dport 19600 -m state --state NEW -j LOGGING
ip6tables -A LOGGING -j LOG --log-prefix "Just-a-LOG: " --log-level 4

하지만 여전히 작동하지 않습니다. 무엇이 문제입니까?

이것은 또한 내 iptables-save결과입니다.

# Generated by iptables-save v1.4.21 on Mon Sep 11 17:43:55 2017
*raw
:PREROUTING ACCEPT [1025:82269]
:OUTPUT ACCEPT [1025:694246]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Sep 11 17:43:55 2017
# Generated by iptables-save v1.4.21 on Mon Sep 11 17:43:55 2017
*security
:INPUT ACCEPT [1002:81285]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1025:694246]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Sep 11 17:43:55 2017
# Generated by iptables-save v1.4.21 on Mon Sep 11 17:43:55 2017
*mangle
:PREROUTING ACCEPT [1025:82269]
:INPUT ACCEPT [1025:82269]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1025:694246]
:POSTROUTING ACCEPT [1025:694246]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -i eth2 -g PRE_public
-A PREROUTING_ZONES -i eth1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Sep 11 17:43:55 2017
# Generated by iptables-save v1.4.21 on Mon Sep 11 17:43:55 2017
*nat
:PREROUTING ACCEPT [26:1140]
:INPUT ACCEPT [3:156]
:OUTPUT ACCEPT [3:213]
:POSTROUTING ACCEPT [3:213]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o eth0 -g POST_public
-A POSTROUTING_ZONES -o eth2 -g POST_public
-A POSTROUTING_ZONES -o eth1 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -i eth2 -g PRE_public
-A PREROUTING_ZONES -i eth1 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Sep 11 17:43:55 2017
# Generated by iptables-save v1.4.21 on Mon Sep 11 17:43:55 2017
*filter
:INPUT DROP [23:984]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1025:694246]
:LOGGING - [0:0]
:SSH - [0:0]
:blacklist - [0:0]
:ssh - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 19502 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 19501 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 19600 -m state --state NEW -j LOGGING
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LOGGING -j ACCEPT
-A LOGGING -j LOG --log-prefix "Just-a-LOG: "
-A blacklist -m recent --set --name blacklist --mask 255.255.255.255 --rsource
COMMIT
# Completed on Mon Sep 11 17:43:55 2017

답변1

체인의 순서 -j LOG-j ACCEPT규칙을 변경해야 합니다 LOGGING.

규칙은 필터링 결정이 내려지거나 체인 끝에 도달할 때까지 평가되며, 이 경우 기본 정책이 적용됩니다. 규칙이 일치하면 -j ACCEPT/REJECT/DROP다른 규칙은 평가되지 않습니다.

관련 정보