what happens with log-rules after reboot on F17 see below! the same appears in dmesg if a rule is triggered the second output is the correct one after call my iptables.sh script again ________________ /sbin/iptables --list --numeric --verbose | grep -i log [root@srv-rhsoft:~]$ /sbin/iptables --list --numeric --verbose | grep -i log 0 0 LOG udp -- eth1 * !91.118.73.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix" 0 0 LOG tcp -- eth1 * !91.118.73.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix" 0 0 LOG udp -- eth0 * !192.168.2.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix" 0 0 LOG tcp -- eth0 * !192.168.2.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix" 0 0 LOG tcp -- !lo * !192.168.2.0/24 0.0.0.0/0 multiport dports 19,24,52,79,109,142,442,464,548,586,631,992,994,3305 limit: avg 10/hour burst 5 LOG flags 0 level 7 prefix "--log-prefix" ________________ [root@srv-rhsoft:~]$ /sbin/iptables --list --numeric --verbose | grep -i log 0 0 LOG udp -- eth1 * !91.118.73.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: " 0 0 LOG tcp -- eth1 * !91.118.73.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: " 0 0 LOG udp -- eth0 * !192.168.2.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: " 0 0 LOG tcp -- eth0 * !192.168.2.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: " 0 0 LOG tcp -- !lo * !192.168.2.0/24 0.0.0.0/0 multiport dports 19,24,52,79,109,142,442,464,548,586,631,992,994,3305 limit: avg 10/hour burst 5 LOG flags 0 level 7 prefix "Firewall Portscan: "
well, and this was a mailing-list thread some time ago about this topic -------- Original-Nachricht -------- Betreff: Re: F17: iptables logging "--log-prefix" in dmesg? Datum: Sun, 24 Jun 2012 14:35:30 +0200 Von: Reindl Harald <h.reindl> Antwort an: Community support for Fedora users <users.org> Organisation: the lounge interactive design An: users.org Am 24.06.2012 14:15, schrieb Michael Schwendt: > On Sun, 24 Jun 2012 14:03:08 +0200, Reindl Harald wrote: > >> what is this in dmesg? >> why is "--log-prefix" here loggd instead the --log-prefix from whatever rule it was? >> >> --log-prefixIN=eth1 OUT= MAC=00:50:8d:b5:cc:de:00:01:5c:24:68:01:08:00 SRC=120.89.73.74 DST=84.113.45.179 LEN=60 >> TOS=0x00 PREC=0x00 TTL=51 ID=58168 DF PROTO=TCP SPT=39903 DPT=19 WINDOW=5840 RES=0x00 SYN URGP=0 >> >> is this more likely a kernel-bug or rsyslog? > > What does "iptables-save|grep log-prefix" tell? > And is it reproducible after "iptables-save|iptables-restore"? this VERY strange! _____________________________ after a reboot without calling my firewall-script builing all iptables-rules from scratch with iptables-commands [root@srv-rhsoft:~]$ /sbin/iptables --list --numeric --verbose | grep prefix 0 0 LOG udp -- eth1 * !91.118.73.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix" 0 0 LOG tcp -- eth1 * !91.118.73.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix" 0 0 LOG udp -- eth0 * !192.168.2.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix" 0 0 LOG tcp -- eth0 * !192.168.2.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "--log-prefix" 5 300 LOG tcp -- !lo * !192.168.2.0/24 0.0.0.0/0 multiport dports 19,24,52,79,109,142,442,464,548,586,631,992,994,3305 limit: avg 10/hour burst 5 LOG flags 0 level 7 prefix "--log-prefix" _____________________________ after calling my "iptables.sh" all is fine NOW [root@srv-rhsoft:~]$ /sbin/iptables --list --numeric --verbose | grep prefix 0 0 LOG udp -- eth1 * !91.118.73.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: " 0 0 LOG tcp -- eth1 * !91.118.73.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: " 0 0 LOG udp -- eth0 * !192.168.2.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 70 name: udpflood side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: " 0 0 LOG tcp -- eth0 * !192.168.2.0/24 0.0.0.0/0 state NEW recent: UPDATE seconds: 2 hit_count: 150 name: DEFAULT side: source limit: avg 1/min burst 5 LOG flags 0 level 7 prefix "Firewall Rate-Control: " 0 0 LOG tcp -- !lo * !192.168.2.0/24 0.0.0.0/0 multiport dports 19,24,52,79,109,142,442,464,548,586,631,992,994,3305 limit: avg 10/hour burst 5 LOG flags 0 level 7 prefix "Firewall Portscan: " _____________________________ looks also like iptables-save works as expected so i have not really a idea what is happening and at which point it gets damaged - but since we are speaking about the firewall i am a little bit nervous [root@srv-rhsoft:~]$ iptables-save|grep log-prefix -A INPUT ! -s 91.118.73.0/24 -i eth1 -p udp -m state --state NEW -m recent --update --seconds 2 --hitcount 70 --name udpflood --rsource -m limit --limit 1/min -j LOG --log-prefix "Firewall Rate-Control: " --log-level 7 -A INPUT ! -s 91.118.73.0/24 -i eth1 -p tcp -m state --state NEW -m recent --update --seconds 2 --hitcount 150 --name DEFAULT --rsource -m limit --limit 1/min -j LOG --log-prefix "Firewall Rate-Control: " --log-level 7 -A INPUT ! -s 192.168.2.0/24 -i eth0 -p udp -m state --state NEW -m recent --update --seconds 2 --hitcount 70 --name udpflood --rsource -m limit --limit 1/min -j LOG --log-prefix "Firewall Rate-Control: " --log-level 7 -A INPUT ! -s 192.168.2.0/24 -i eth0 -p tcp -m state --state NEW -m recent --update --seconds 2 --hitcount 150 --name DEFAULT --rsource -m limit --limit 1/min -j LOG --log-prefix "Firewall Rate-Control: " --log-level 7 -A INPUT ! -s 192.168.2.0/24 ! -i lo -p tcp -m multiport --dports 19,24,52,79,109,142,442,464,548,586,631,992,994,3305 -m limit --limit 10/hour -j LOG --log-prefix "Firewall Portscan: " --log-level 7 _____________________________
*** This bug has been marked as a duplicate of bug 825796 ***