Join Log in
Score:0
lonix avatar Server

Logging of "direct" iptables rules with firewalld

cn flag
lonix

I'm using firewalld with the iptables backend. I added "direct" rules for ssh connection limiting:

sudo firewall-cmd --add-port=22/tcp

sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --set \
  -m comment --comment "limit ssh connections per ip"

sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 1 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --update --seconds 61 --hitcount 4 --rttl \
  -j REJECT --reject-with tcp-reset \
  -m comment --comment "limit ssh connections per ip"

# ...similarly for ipv6

I also want logging for rejects and drops, so I ran

$ sudo firewall-cmd --set-log-denied all

That mostly works - when I check sudo journalctl --since today --identifier kernel I see those connections... but not those rejected by my direct rules.

On the repo this was confirmed as expected behaviour, and that I must add more direct rules to log my direct rules:

You have to use the iptables log extension, e.g. -j LOG. ... Unfortunately you'll need two direct rules as iptables doesn't support -j LOG -j ACCEPT.

How do I do that?

83
1 + 0
Score:1
lonix avatar Server
cn flag
lonix

Figured it out. One must add another rule, identical to the REJECT or DROP rule, but which jumps to the "non-terminating" LOG target.

$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --set \
  -m comment --comment "limit ssh connections per ip"

$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 1 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --update --seconds 61 --hitcount 4 --rttl \
  -m limit --limit "5/min" \
  -j LOG --log-prefix "[REJECT SSH BRUTE FORCE] " --log-level 6 \    # <----------
  -m comment --comment "limit ssh connections per ip"

$ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 2 \
  -p tcp --dport 22 \
  -m state --state NEW \
  -m recent --name ssh --update --seconds 61 --hitcount 4 --rttl \
  -j REJECT --reject-with tcp-reset \
  -m comment --comment "limit ssh connections per ip"

# ...similarly for ipv6

To view logs for those connections:

# all rejected and dropped
$ sudo journalctl --grep 'kernel'

# or just just ssh brute force attempts
$ sudo journalctl --grep 'REJECT SSH BRUTE FORCE'
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.