J'ai crée des règles iptables qui me permettent en théorie de logger certains paquets (INVALID et NEW) avec ulogd.
Code : Tout sélectionner
# Generated by iptables-save v1.8.10 on Thu Jul 25 08:38:30 2024
*security
:INPUT ACCEPT [83388:80286434]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [55639:8524163]
COMMIT
# Completed on Thu Jul 25 08:38:30 2024
# Generated by iptables-save v1.8.10 on Thu Jul 25 08:38:30 2024
*raw
:PREROUTING ACCEPT [83388:80286434]
:OUTPUT ACCEPT [55639:8524163]
COMMIT
# Completed on Thu Jul 25 08:38:30 2024
# Generated by iptables-save v1.8.10 on Thu Jul 25 08:38:30 2024
*mangle
:PREROUTING ACCEPT [83388:80286434]
:INPUT ACCEPT [83388:80286434]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [55639:8524163]
:POSTROUTING ACCEPT [55639:8524163]
COMMIT
# Completed on Thu Jul 25 08:38:30 2024
# Generated by iptables-save v1.8.10 on Thu Jul 25 08:38:30 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1383:154762]
:POSTROUTING ACCEPT [1383:154762]
COMMIT
# Completed on Thu Jul 25 08:38:30 2024
# Generated by iptables-save v1.8.10 on Thu Jul 25 08:38:30 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -d 127.0.0.1/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m recent --update --seconds 300 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j NFLOG --nflog-prefix "[INVALID_IN] : " --nflog-group 1
-A INPUT -m conntrack --ctstate NEW -m recent --update --seconds 300 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j NFLOG --nflog-prefix "[NEW] : " --nflog-group 1
-A OUTPUT -m conntrack ! --ctstate INVALID -j ACCEPT
COMMIT
# Completed on Thu Jul 25 08:38:30 2024
iptables -I INPUT 3 -m conntrack --ctstate ESTABLISHED,NEW,INVALID -m recent --update --seconds 300 --hitcount 1 --name DEFAULT --mask 255.255.255.255 --rsource -j NFLOG --nflog-prefix "[ALL] : " --nflog-group 1
Mais je n'ai rien dans le fichier
/var/log/ulogd.syslogemu
/etc/ulogd.conf :
Code : Tout sélectionner
[global]
logfile="/var/log/ulogd.log"
loglevel=5
rmem=131071
bufsize=150000
plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
[log1]
group=1
[emu1]
file=/var/log/ulogd.syslogemu
-rw-r--r-- 1 root root 0 16 mai 06:46 /var/log/ulogd.syslogemu
Ça fait un moment que j'y suis dessus mais rien à faire, Ça ne veut pas :/
Une aide serait la bienvenue.
Merci.