iptables how to log and drop all

The more I research the more I get confused. I am hoping someone will give me some direction.

I would like to set up a machine to do the following:

  1. Flush all tables
  2. Zero the packet and byte counters
  3. Log each in, out, or transfer
  4. Drop each in, out, or transfer

This should effectively kill ALL internet transactions, http, ftp, etc…

Please do not tell me to turn off the router. There are others plugged into the router. The specifications are to do the above only.

Part of my concern is opensuse does it two ways, yast and iptables. It appears that yast will not do this completely. Then, how would iptables-restore < file.txt be set up? Where would it be placed so that it does it on each boot?

Part of my concern is opensuse does it two ways, yast and iptables.

YaST is only used as a means to configure iptables.

I’m not sure what you’re trying achieve here but assume it is for learning? Anyway, taking you literally here - you want to drop (block) all traffic completely. You can do this on the fly with something like

ipables --flush
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix "iptables dropped packet: " --log-level 4
iptables -A LOG_DROP -j DROP
iptables -A INPUT -j LOG_DROP
iptables -A FORWARD -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP

Now observe the journal log in a terminal window with

sudo journalctl -f|grep iptables

In another terminal try pinging an internet address and you’ll see dropped packets along with any other packet activity

ping 8.8.8.8

It’s also possible/desirable to rate limit the logging (as the logs will be saturated with iptables messaging with all traffic blocked like this)

http://www.thegeekstuff.com/2012/08/iptables-log-packets/?utm_source=feedburner

Read the openSUSE firewall guide for information on manual custom configuration of SuSEfirewall2.

This is a deceptively enormous topic.

But,
If you start with your last requirement (completely closed, deny all), that is how IPtables is supposed to be by default except for localhost(or you can write an explicit rule that denies all)… And if that is the case then you can disregard practically all you are asking about, ie flushing, zeroing of counters, transfers, logging of packets, etc.

If you want to monitor activity on your network interface, there are very, very many ways to do that, Googling something like “iptables monitoring” returns a multitude of hits, on the first page alone you should see at least 5 good hits, and within those articles there can be many tools.

TSU

The iptables examples here are excellent! And the 2/minute addition is even better. Thanks!

Another question,

Suppose there is a script on the LAN called lockdown. Most of the time lockdown is empty and does not do anything.

But, if there is an emergency declared, lockdown gets replaced with a script that has the above iptables commands to log and drop all. And everyone reboots.

So, certain computers would be set up to run lockdown at boot. Some computers would be ok to boot and connect, such as security computers used to monitor. Also, the computer room is locked, so it is not practical to just start pulling cables.

Which of the several opensuse boot scripts would it be appropriate to add the command to run the lockdown script?

Custom firewall rules can be added to /etc/sysconfig/scripts/SuSEfirewall2-custom. The file contains helpful descriptions. Also review

man  /etc/sysconfig/scripts/SuSEfirewall2-custom

Edit /etc/sysconfig/SuSEfirewall2 and locate

FW_CUSTOMRULES=""

Change it to

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

then restart the firewall…

systemctl restart SuSEfirewall2

More info here…
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html#sec.security.firewall.SuSE

That doesn’t help if I want to lock down a dozen computers within 2 minutes…

Could be done in a script. Use sed to mod the /etc/sysconfig/SuSEfirewall2 file

http://www.grymoire.com/Unix/Sed.html#uh-0