Linux Firewalls - Michael Rash [24]
In this chapter, we'll focus first on how iptables logs network layer packet headers within log message output. Then we will see how these logs can be used to catch suspicious network layer activity.
Logging Network Layer Headers with iptables
With the iptables LOG target, firewalls built with iptables have the ability to write log data to syslog for nearly every field of the IPv4 headers.[11] Because the iptables logging format is quite thorough, iptables logs are well-suited to supporting the detection of many network layer header abuses.
Logging the IP Header
The IP header is defined by RFC 791, which describes the structure of the header used by IP. Figure 2-1 displays the IP header, and the shaded boxes represent the fields of the header that iptables includes within its log messages. Each shaded box contains the IP header field name followed by the identifying string that iptables uses to tag the field in a log message. For example, the Total Length field is prefixed with the string LEN= followed by the actual total length value in the packet, and the Time-to-Live (TTL) field is prefixed with TTL= followed by the TTL value.
Figure 2-1. The IP header and corresponding iptables log message fields
The dark gray boxes in Figure 2-1 are always logged[12] by iptables. The white boxes denote header fields that are not logged by iptables under any circumstances. The medium gray box is for the options portion of the IP header. This box is shaded medium gray because iptables only logs IP options if the --log-ip-options command-line argument is used when a LOG rule is added to the iptables policy.
Here is an example iptables log message generated by sending an ICMP Echo Request from the ext_scanner system toward the iptablesfw system (refer to Figure 2-1):
[ext_scanner]$ ping -c 1 71.157.X.X
PING 71.157.X.X (71.157.X.X) 56(84) bytes of data.
64 bytes from 71.157.X.X: icmp_seq=1 ttl=64 time=0.171 ms
--- 71.157.X.X ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.171/0.171/0.171/0.000 ms
[iptablesfw]# tail /var/log/messages | grep ICMP | tail -n 1
Jul 22 15:01:25 iptablesfw kernel: IN=eth0 OUT=
MAC=00:13:d3:38:b6:e4:00:30:48:80:4e:37:08:00 SRC=144.202.X.X DST=71.157.X.
X LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=
44366 SEQ=1
The IP header begins in the log message above with the source IP address (expanded into the standard dotted quad notation).[13] Additional IP header fields such as the destination IP address, TTL value, and the protocol field are in bold. The Type Of Service field (TOS), and the precedence and corresponding type bits are included as separate hexadecimal values to the TOS and PREC fields. The Flags header field in this case is included as the string DF, or Don't Fragment, which indicates that IP gateways are not permitted to split the packet into smaller chunks. Finally, the PROTO field is the protocol encapsulated by the IP header—ICMP in this case. The remaining fields in the log message above include the ICMP TYPE, CODE, ID, and SEQ values in the ICMP Echo Request packet sent by the ping command, and are not part of the IP header.
Logging IP Options
IP options provide various control functions for IP communications, and these functions include timestamps, certain security capabilities, and provisions for special routing features. IP options have a variable length and are used relatively infrequently on the Internet. Without IP options, an IP packet header is always exactly 20 bytes long. For iptables to log the options portion of the IP header, use the following command (note the --log-ip-options switch in bold):
[iptablesfw]# iptables -A INPUT -j LOG --log-ip-options
The default LOG rules in the policy built by the iptables.sh script in Chapter 1 all use the --log-ip-options command-line argument,