Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

You may just need to add a default logging rule #52

Open
heliobarbosa opened this issue Aug 29, 2017 · 9 comments
Open

You may just need to add a default logging rule #52

heliobarbosa opened this issue Aug 29, 2017 · 9 comments

Comments

@heliobarbosa
Copy link

I'm faced with this erro

[-] You may just need to add a default logging rule to the
'filter' 'INPUT' chain on localhost.localdomain. For more information,
see the file "README" in the psad sources directory or visit:

http://www.cipherdyne.org/psad/docs/fwconfig.html

But this is my iptables rules:

[root@localhost Downloads]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warning

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warning

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

there is som problem?
@Doemela
Copy link

Doemela commented Sep 5, 2017

Yes get those mails to "[psad-status] firewall setup warning on domain.tld!" rules are in the INPUT and FORWARD
Debian 9.1
psad-2.4.5
iptables & ip6tables

@itoffshore
Copy link

@HelioB - you should really have a default deny policy on the INPUT chain (not accept)

@mrash - I get a similar message:

[+] Available search strings in /etc/psad/psad.conf:

        DROP

[+] Additional search strings can be added be specifying more
    FW_MSG_SEARCH lines in /etc/psad/psad.conf

[-] The INPUT chain in the ruleset on xxxxxxxx includes a default
    LOG rule for all protocols,
    but the rule does not include one of the log prefixes mentioned above.
    It appears as though the log prefix is set to "NONE"
    psad will not be able to detect scans without adding one of the above
    logging prefixes to the rule.

For the last rule in the INPUT chain I use:

-A INPUT -m limit --limit 2/min -j LOG --log-prefix "DROP INPUT: " --log-level 4

@kees-closed
Copy link

kees-closed commented Jul 9, 2018
edited
Loading

Regarding #50; the latest version of PSAD has finally landed in Fedora. Now I also get this warning:

You may just need to add a default logging rule to the
'filter' 'INPUT' chain on defiant. For more information,
see the file "README" in the psad sources directory or visit:

I do have drop rules for INPUT and FORWARD in both iptables and ip6tables.

# iptables -vnL | grep DROP
   21   840 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 LOG        all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 4 prefix "DROP INPUT "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 LOG        all  --  !lo    *       0.0.0.0/0            0.0.0.0/0            LOG flags 6 level 4 prefix "DROP FORWARD "
   15   600 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID

# iptables-save | grep DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT ! -i lo -j LOG --log-prefix "DROP INPUT " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD ! -i lo -j LOG --log-prefix "DROP FORWARD " --log-tcp-options --log-ip-options
-A OUTPUT -m conntrack --ctstate INVALID -j DROP

Yet, PSAD does not detect the chains:

jul 09 11:32:00 defiant systemd[1]: Starting The Port Scan Attack Detector (psad)...
jul 09 11:32:01 defiant psad[13390]: invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.
jul 09 11:32:01 defiant psad[13390]: invalid IPT_AUTO_CHAIN2 keyword, OUTPUT chain does not exist.
jul 09 11:32:01 defiant psad[13390]: invalid IPT_AUTO_CHAIN3 keyword, FORWARD chain does not exist.
jul 09 11:32:01 defiant psad[13390]: imported p0f-based passive OS fingerprinting signatures
jul 09 11:32:01 defiant psad[13390]: imported TOS-based passive OS fingerprinting signatures
jul 09 11:32:02 defiant psad[13390]: imported Snort classification.config
jul 09 11:32:02 defiant psad[13390]: imported original Snort rules in /etc/psad/snort_rules/ for reference info
jul 09 11:32:02 defiant psad[13390]: imported 206 psad Snort signatures from /etc/psad/signatures
jul 09 11:32:02 defiant psad[13390]: imported valid icmp types and codes
jul 09 11:32:02 defiant psad[13390]: imported valid icmp6 types and codes
jul 09 11:32:02 defiant psad[13390]: starting up psad version 2.4.5
jul 09 11:32:04 defiant systemd[1]: Started The Port Scan Attack Detector (psad).
jul 09 11:32:04 defiant psad[13438]: flushing existing psad iptables auto-response chains

I do not use firewalld, I use the native ip[6]tables.

ENABLE_OVERRIDE_FW_CMD                  N;
FW_CMD                                  NONE;
FW_CMD_ARGS                             NONE;
...
iptablesCmd                             /sbin/iptables;
ip6tablesCmd                            /sbin/ip6tables;

What am I missing here?

@Doemela
Copy link

Doemela commented Jul 9, 2018

...
-A INPUT -j LOG
-A INPUT -j DROP
....
-A FORWARD -j LOG

Should be enough what version you using? package/installed with the install.pl

@itoffshore
Copy link

On an Arch Linux systemd based system I have been using (without any problems)

-A INPUT -m limit --limit 2/min -j LOG --log-prefix "DROP INPUT: " --log-level 4

I also set in /etc/psad/psad.conf:

AUTO_DETECT_JOURNALCTL Y;

I also use a default deny policy:

## iptables-restore < /etc/iptables.rules

*filter

#default DROP Policy
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

@kees-closed
Copy link

kees-closed commented Jul 10, 2018
edited
Loading

I don't think a default drop policy is required, my last rule for input and forward drops all.

When I start PSAD with psad --debug I see that it, for some reason, defaults to firewall-cmd... I will check this in more detail. Continues in #50.

# psad --debug                                                                     
[+] run_command(): /bin/ps auxww                                     
[*] journalctl appears to be running.                                                        
[+] import_perl_modules(): The @INC array:                                
/usr/local/lib64/perl5                                                                                                                    
/usr/local/share/perl5                                                          
/usr/lib64/perl5/vendor_perl                                                                             
/usr/share/perl5/vendor_perl                                           
/usr/lib64/perl5                                                                                            
/usr/share/perl5                                                
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -w -t filter -n -L INPUT
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x5581cdf40ab8)
Tue Jul 10 16:09:13 2018     firewall-cmd command stdout:                   
Tue Jul 10 16:09:13 2018     firewall-cmd command stderr:               
FirewallD is not running                                                        
Tue Jul 10 16:09:13 2018     Return value: 0                                             
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L INPUT
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x5581cdf40ab8)                                                                                                                                                                                                                                                                               
Tue Jul 10 16:09:13 2018     firewall-cmd command stdout:                                                                                                                                                                                                                                                                                                                    
Tue Jul 10 16:09:13 2018     firewall-cmd command stderr:                                                                                                                                                                                                                                                                                                                   
FirewallD is not running                                                                                                                                                                                                                                                                                                                                                     
Tue Jul 10 16:09:13 2018     Return value: 0                                                                                                         
[+] syslog msg: invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.                                   
[-] build_ipt_config(): invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L OUTPUT
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x5581cdf40ab8)
Tue Jul 10 16:09:13 2018     firewall-cmd command stdout:                       
Tue Jul 10 16:09:13 2018     firewall-cmd command stderr:            
FirewallD is not running                                                                          
Tue Jul 10 16:09:13 2018     Return value: 0                                                
[+] syslog msg: invalid IPT_AUTO_CHAIN2 keyword, OUTPUT chain does not exist.
[-] build_ipt_config(): invalid IPT_AUTO_CHAIN2 keyword, OUTPUT chain does not exist.                                                                                    
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L FORWARD                           
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x5581cdf40ab8)                                                                            
Tue Jul 10 16:09:14 2018     firewall-cmd command stdout:                                                                                                                                                                                                                                                                                                                    
Tue Jul 10 16:09:14 2018     firewall-cmd command stderr:                                                                                                                                                                                                                                                                                                                    
FirewallD is not running                                                                                                                                                                                                                                                                                                                                                     
Tue Jul 10 16:09:14 2018     Return value: 0

My config is as follows:

EMAIL_ADDRESSES                         [email protected];
HOSTNAME                                hostname;
HOME_NET                                any;
EXTERNAL_NET                            any;
FW_SEARCH_ALL                           Y;
FW_MSG_SEARCH                           DROP;
IFCFGTYPE  iproute2;
DANGER_LEVEL1                           5; ### number of packets.
DANGER_LEVEL2                           15;
DANGER_LEVEL3                           150;
DANGER_LEVEL4                           1500;
DANGER_LEVEL5                           10000;
DL1_UNIQUE_HOSTS                        10;
DL2_UNIQUE_HOSTS                        20;
DL3_UNIQUE_HOSTS                        50;
DL4_UNIQUE_HOSTS                        100;
DL5_UNIQUE_HOSTS                        500;
CHECK_INTERVAL                          5;
SNORT_SID_STR                           SID;
PORT_RANGE_SCAN_THRESHOLD               1;
PORT_RANGE_SWEEP_THRESHOLD              0; ### a single port by default, see the DL1_UNIQUE_HOSTS var
PROTOCOL_SCAN_THRESHOLD                 5;
ENABLE_PERSISTENCE                      Y;
SCAN_TIMEOUT                            3600; ### seconds
PERSISTENCE_CTR_THRESHOLD               5;
MAX_SCAN_IP_PAIRS                       0;
SHOW_ALL_SIGNATURES                     Y;
ALERTING_METHODS                        ALL;
AUTO_DETECT_JOURNALCTL                  Y;
ENABLE_SYSLOG_FILE                      Y;
IPT_WRITE_FWDATA                        Y;
IPT_SYSLOG_FILE                         /var/log/messages;
SYSLOG_DAEMON                           syslogd;
ENABLE_FW_MSG_READ_CMD                  Y;
FW_MSG_READ_CMD                         /bin/journalctl;
FW_MSG_READ_CMD_ARGS                    -f -k;
USE_FW_MSG_READ_CMD_ARGS                Y;
FW_MSG_READ_MIN_PKTS                    30;
ENABLE_SIG_MSG_SYSLOG                   Y;
SIG_MSG_SYSLOG_THRESHOLD                10;
SIG_SID_SYSLOG_THRESHOLD                10;
ENABLE_PSADWATCHD                       N;
EXPECT_TCP_OPTIONS                      Y;
MAX_HOPS                                20;
IGNORE_KERNEL_TIMESTAMP                 Y;
IGNORE_CONNTRACK_BUG_PKTS               Y;
IGNORE_PORTS                            NONE;
IGNORE_PROTOCOLS                        NONE;
IGNORE_INTERFACES                       NONE;
IGNORE_LOG_PREFIXES                     NONE;
MIN_DANGER_LEVEL                        1;
EMAIL_ALERT_DANGER_LEVEL                3;
ENABLE_IPV6_DETECTION                   Y;
ENABLE_INTF_LOCAL_NETS                  Y;
ENABLE_MAC_ADDR_REPORTING               Y;
ENABLE_FW_LOGGING_CHECK                 Y;
EMAIL_LIMIT                             25;
ENABLE_EMAIL_LIMIT_PER_DST              Y;
EMAIL_LIMIT_STATUS_MSG                  Y;
EMAIL_THROTTLE                          0;
ALERT_ALL                               Y;
IMPORT_OLD_SCANS                        N;
SYSLOG_IDENTITY                         psad;
SYSLOG_FACILITY                         LOG_LOCAL7;
SYSLOG_PRIORITY                         LOG_INFO;
TOP_PORTS_LOG_THRESHOLD                 500;
STATUS_PORTS_THRESHOLD                  20;
TOP_SIGS_LOG_THRESHOLD                  500;
STATUS_SIGS_THRESHOLD                   50;
TOP_IP_LOG_THRESHOLD                    500;
STATUS_IP_THRESHOLD                     25;
TOP_SCANS_CTR_THRESHOLD                 1;
ENABLE_OVERRIDE_FW_CMD                  N;
FW_CMD                                  NONE;
FW_CMD_ARGS                             NONE;
ENABLE_DSHIELD_ALERTS                   Y;
DSHIELD_ALERT_EMAIL                     [email protected];
DSHIELD_ALERT_INTERVAL                  6; ### hours
DSHIELD_USER_ID                         0;
DSHIELD_USER_EMAIL                      NONE;
DSHIELD_DL_THRESHOLD                    0;
HTTP_SERVERS                            $HOME_NET;
SMTP_SERVERS                            $HOME_NET;
DNS_SERVERS                             $HOME_NET;
SQL_SERVERS                             $HOME_NET;
TELNET_SERVERS                          $HOME_NET;
AIM_SERVERS                             [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS                              80;
SHELLCODE_PORTS                         !80;
ORACLE_PORTS                            1521;
ENABLE_SNORT_SIG_STRICT                 Y;
ENABLE_AUTO_IDS                         Y;
AUTO_IDS_DANGER_LEVEL                   5;
AUTO_BLOCK_TIMEOUT                      3600;
AUTO_BLOCK_DL1_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT                  $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT                  0; ### permanent
ENABLE_AUTO_IDS_REGEX                   N;
AUTO_BLOCK_REGEX                        ESTAB;  ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS               N;
ENABLE_AUTO_IDS_EMAILS                  Y;
IPTABLES_BLOCK_METHOD                   Y;
IPT_AUTO_CHAIN1                         DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2                         DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3                         DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT                       Y;
IPTABLES_PREREQ_CHECK                   1;
TCPWRAPPERS_BLOCK_METHOD                N;
ENABLE_WHOIS_LOOKUPS                    Y;
WHOIS_TIMEOUT                           60; ### seconds
WHOIS_LOOKUP_THRESHOLD                  20;
ENABLE_WHOIS_FORCE_ASCII                N;
ENABLE_WHOIS_FORCE_SRC_IP               N;
ENABLE_DNS_LOOKUPS                      Y;
DNS_LOOKUP_THRESHOLD                    20;
ENABLE_EXT_SCRIPT_EXEC                  N;
EXTERNAL_SCRIPT                         /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT               N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC            N;
EXTERNAL_BLOCK_SCRIPT                   /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE              N;
CUSTOM_SYSLOG_TS_RE                     ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL                     300; ### seconds
DISK_MAX_PERCENTAGE                     95;
DISK_MAX_RM_RETRIES                     10;
ENABLE_SCAN_ARCHIVE                     N;
TRUNCATE_FWDATA                         Y;
MIN_ARCHIVE_DANGER_LEVEL                1;
MAIL_ALERT_PREFIX                       [psad-alert];
MAIL_STATUS_PREFIX                      [psad-status];
MAIL_ERROR_PREFIX                       [psad-error];
MAIL_FATAL_PREFIX                       [psad-fatal];
SIG_UPDATE_URL                          http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL               5; ### seconds
PSADWATCHD_MAX_RETRIES                  10;
INSTALL_ROOT                            /;
PSAD_DIR                                $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR                            $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR                           $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR                           $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR                           $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR                            $PSAD_DIR/errs;
CONF_ARCHIVE_DIR                        $PSAD_DIR/archive;
SCAN_DATA_ARCHIVE_DIR                   $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR                       $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR                         $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR                       /etc/fwsnort/snort_rules; ### may not exist
FW_DATA_FILE                            $PSAD_DIR/fwdata;
ULOG_DATA_FILE                          $PSAD_DIR/ulogd.log;
FW_CHECK_FILE                           $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE                      $PSAD_DIR/dshield.email;
SIGS_FILE                               $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE                          $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE                         $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE                        $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE                            $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE                      $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE                               $PSAD_CONF_DIR/posf;
P0F_FILE                                $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE                            $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE                          $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE                     /etc/hosts.deny;
ETC_SYSLOG_CONF                         /etc/syslog.conf;
ETC_RSYSLOG_CONF                        /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF                       /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF                        /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE                      $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE                    $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE                        $PSAD_DIR/install.log;
PSAD_PID_FILE                           $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE                   $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE                       $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE                         $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE                     $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE                     $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE                   $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK                           $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG                            $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH                         $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE                       /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE                     $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE                  $PSAD_DIR/top_ports;
TOP_SIGS_FILE                           $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE                      $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE                    $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE                 $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN                      psad_iptout.XXXXXX;
IPT_ERROR_PATTERN                       psad_ipterr.XXXXXX;
iptablesCmd                             /sbin/iptables;
ip6tablesCmd                            /sbin/ip6tables;
shCmd                                   /bin/sh;
wgetCmd                                 /usr/bin/wget;
gzipCmd                                 /bin/gzip;
mknodCmd                                /bin/mknod;
psCmd                                   /bin/ps;
mailCmd                                 /bin/mail;
sendmailCmd                             /usr/sbin/sendmail;
ifconfigCmd                             /sbin/ifconfig;
ipCmd                                   /sbin/ip;
killallCmd                              /usr/bin/killall;
netstatCmd                              /bin/netstat;
unameCmd                                /bin/uname;
whoisCmd                                /usr/bin/whois;
dfCmd                                   /bin/df;
fwcheck_psadCmd                         $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd                           $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd                               $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd                                 $INSTALL_ROOT/usr/sbin/psad;

@kees-closed
Copy link

My issue was resolved with psad-2.4.6-1.fc29.x86_64

@Bammede
Copy link

Bammede commented Jan 25, 2022

On my Ubuntu 20.04 have the same problem with INPUT, even iptables has LOG rules.

@ikabod
Copy link

ikabod commented Apr 10, 2023
edited
Loading

In my case the problem with Debian 11 was the fact, that rules added manually are gone after a reboot. And since I use ipv6 too, I got the message 2 times in the email.

My solution was to add the following script to the folder /etc/network/if-pre-up.d/iptableRules and make it executable: chmod +x iptableRules.

Note: the script must not have an .sh extension otherwise it will not be executed. You can test if it will be loaded by running the command run-parts --test /etc/network/if-pre-up.d

#!/bin/bash

# check if rule exists and if not add it
checkRule()  {

    # $1 = iptables/ip6tables
    # $2 = rule

    # rule does not exist?
    if ! $1 -C $2; then

        # add rule
        $1 -A $2

        # failed?
        if ! $1 -C $2; then

            # inform user
           echo "error: could not add rule $2 to $1"

        else

            # inform user
             echo "rule $2 added to $1"

        fi

    else

        # inform user
        echo "rule $2 already exists in $1"

    fi

}

# define rules
inputRule="INPUT -j LOG"
forwardRule="FORWARD -j LOG"

# check if rules exists
checkRule "iptables" "$inputRule"
checkRule "iptables" "$forwardRule"
checkRule "ip6tables" "$inputRule"
checkRule "ip6tables" "$forwardRule"

As an alternative you can use the package iptables-persistent but I have not tested it. More information you can find at:

https://serverfault.com/questions/904938/iptables-didnt-restore-the-new-rules-after-reboot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@heliobarbosa @itoffshore @Doemela @kees-closed @ikabod @Bammede