[CentOS] Simple IPTABLES Question

Wed Aug 20 17:44:13 UTC 2008
David Dyer-Bennet <dd-b at dd-b.net>

On Tue, August 19, 2008 19:04, Kenneth Porter wrote:
> --On Tuesday, August 19, 2008 10:15 AM -0500 David Dyer-Bennet
> <dd-b at dd-b.net> wrote:
>
>> That's the right general approach; duplicate the drop rule but with a
>> LOG
>> target and appropriate logging parameters.
>
> Another approach is to create a subchain that just logs and drops (no
> match
> rules), and in your main chain you match on the desired packet and jump to
> the subchain. That eliminates the need to maintain the same match in two
> places, and reduces the number of rules a non-dropped packet has to pass
> through.

Or any arbitrary number of pairs of places, in fact; you can jump to that
log-and-drop rule from a dozen different places if you have a dozen things
you want logged-and-dropped.  (It does mean you're not putting cause info
into each log entry to use it that way, though; still, you can usually
figure out from the packet why you dropped it.)

I've been known to put a log entry at the end of my chain, with suitable
rate-limiting parameters, and actually log every spurious packet hitting
my system.  The rate-limiting parameters are important :-).
-- 
David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info