Hello
Is there a way to get ipchains to log to a seperate file?
At the moment it is logging into /var/log/messages, but I would like it done in a file just for ipchains.
Thank you

Wazza

Are you familiar with grep, awk, sed, tr and so on?
If not, you might have a look at a logchecker like logcheck ;-)
http://www.psionic.com/
And if you are there, you might also take a look at portsentry.

Ok grep is good enough, but I'm also wondering if anyone has come up with a way to do this. It would be a nice feature since I always take a quick look a /var/log and seeing a file called ipchains with a positive file size would be a quick tip off that someone is trying something...

-Mark

Why do you want to put it in a file? Okay i still prefer the "logchecker" software but you can do it also with a little script.
My firewall logs everything (scans, stealth-scans, connection-attempts etc.) to the /var/log/messages file.

So i would write a little script, that also includes a line like this:
cat messages | grep -i "Packet log:" | awk '{print $12}'

In my case this would give me the ip-address of a poosible intruder. You should finetune this with "sed".

Create a cronjob and wait for mail that will inform you on what's going on!

I hope this might help you.

I can dig it. Thanks man.

what about ipchains-save > /path/to/file , you can also restore by typing ipchains-restore > /path/from/file

Hi,

Pretty new to Linux, I?m using RH 6.2. I need some help on getting ipchains to log.

My /etc/syslog.conf is as follows:

kern.* /var/log/kern.log
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none /var/log/messages

I set a rule and it works, but I can not get it to log?anywhere that I can tell. Only thing it does log is when I flush out the polices:

Apr 1 17:53:08 dsl081 ipchains: Flushing all chains: succeeded
Apr 1 17:53:08 dsl081 ipchains: Removing user defined chains: succeeded
Apr 1 17:53:08 dsl081 ipchains: Resetting built-in chains to the default ACCEPT policy succeeded

I have been playing around with an icmp (ping) rule and it works fine?just wont log

root /sbin/ipchains -l -A input -p icmp --icmp-type echo-request -s 0/0 -d 64.31.56.245 -j ACCEPT

Any help would be greatly appreciated!

-Ward

Hi,

Pretty new to Linux, I?m using RH 6.2. I need some help on getting ipchains to log.

My /etc/syslog.conf is as follows:

kern.* /var/log/kern.log
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none /var/log/messages

I set a rule and it works, but I can not get it to log?anywhere that I can tell. Only thing it does log is when I flush out the polices:

Apr 1 17:53:08 dsl081 ipchains: Flushing all chains: succeeded
Apr 1 17:53:08 dsl081 ipchains: Removing user defined chains: succeeded
Apr 1 17:53:08 dsl081 ipchains: Resetting built-in chains to the default ACCEPT policy succeeded

I have been playing around with an icmp (ping) rule and it works fine?just wont log

root /sbin/ipchains -l -A input -p icmp --icmp-type echo-request -s 0/0 -d 64.31.56.245 -j ACCEPT

Any help would be greatly appreciated!

-Ward

Hi there.
I might be wrong, but if any input rules are Appended, should they be listed after the -A option??

mine is written:

/sbin/ipchains -A input -l -J DENY -p icmp -s 0/0 echo-request -i ppp0

Might be nothing in it, some one in here will know the answer I'm sure.

Wazza

Hi Wazza,

Thanks. I tried that with no difference. However, I have since discovered that by starting klogd with the ?s option, it forces the system call interface as its messaging source. Now it works.

I found some pretty good info and a sh script on ipchains at
http://dsl081-050-241.sfo1.dsl.speak...s-script.shtml

Thanks for the rely!

-Ward