LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-05-2005, 10:48 AM   #1
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
General gateway logging (and iptables ULOG) ?


I'm doing some advanced iptables logging using the ULOG target to save all connections to a table for later analysis.

I've never logged anything with iptables:
1. The jump directive (-j) is defined as "stop processing this rule and jump to this target", and since ULOG is a userspace process, does that mean the packet gets sent to ulogd and not passed on to the next chain, or is the packet copied to multicast? It makes sense for the latter to be the case.

2. If I want to log connections to, say, all external web sites, would this be a good rule?
Code:
iptables -t filter -A FORWARD -p tcp --dport 80 -o $WAN --ulog-prefix "HTTP " --ulog-qthreshold 50
My problem with this is that it will log every single packet on this gateway, and if I have heavy traffic, my log DB will quickly explode. How could I restrict this to say, connections instead of individual packets? I don't need to know that 192.168.1.20 used 1000 packets to download an image from a web site, merely that he visited that site, so one entry would do (per HTTP request obviously). Also I only need date, source and dest IPs (and ports if not matched by iptables).

The logging requirement I must meet is to "be able to match traffic to a single user".

Should I consider another (perhaps non-iptables) logging facility? I'm going to be adding squid to my gateway soon, should I look into logging at that point (that won't log things like ssh though will it?)

Last edited by michaelsanford; 05-05-2005 at 10:51 AM.
 
Old 05-05-2005, 11:50 AM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
You could use SQUID to log websites. If you want to log just once per connection with iptables, you could add -m state --state NEW (IIRC) to the rule.
 
Old 05-05-2005, 01:40 PM   #3
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Original Poster
Rep: Reputation: 30
I knew it would involve a match-state directive but I'm a little muddled in using that; match new seems correct to me though.

The general idea being that we want to be able to know what web sites people are hitting in case, say, they're accessing child porn, and also be able to identify break-in attempts on external servers originating from us.

I'm just afraid that the log file (mysql db) could blow up if there are 1000 people online at the same time, but this match should work all right, we've got a pretty beefy system.

Thanks!
 
Old 05-05-2005, 01:49 PM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Of course, all someone needs is an SSH tunnel to get around this, but well, you can't secure everything, can you? Besides, with an SSH tunnel, it comes back to the SSH server, not yours.
 
Old 05-05-2005, 09:22 PM   #5
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Original Poster
Rep: Reputation: 30
Very true, but SSH tunnels are easy to write-off as "unloggable". I'll put it in my report nonetheless
 
Old 05-05-2005, 09:27 PM   #6
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Not to mention anonymizing SSL-secured proxies, etc, etc. But the point is... anything where a remote log would point to your system should be loggable.
 
Old 05-05-2005, 09:35 PM   #7
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Original Poster
Rep: Reputation: 30
Good rule of thumb, so I guess it's squid and iptables logging.

So just to confirm, a -j ULOG / -j LOG directive logs the packet to userspace/syslogd, it doesn't move the packet to the logger and not forward it, right?
 
Old 05-05-2005, 09:38 PM   #8
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
I understand it the same way. To log dropped packets, I believe you need identical rules with -j (U)LOG, -j DROP. (In that order, of course).
 
Old 05-05-2005, 09:54 PM   #9
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Original Poster
Rep: Reputation: 30
Sounds good.Now that I think about it though, it's fairly easy to test -j ULOG all traffic from a LAN IP and see if it still works...and it does!

Sample:
Code:
root@gateway:/var/log# iptables -t filter -A FORWARD \
-p tcp -s 10.0.0.11 --dport 80 -j LOG

root@gateway:/var/log# cat syslog
May  5 22:52:10 gateway kernel: IN=wlan0 OUT=eth0 \
SRC=10.0.0.11 DST=128.30.52.34 LEN=52 TOS=0x00 \
PREC=0x00 TTL=63 ID=37917DF PROTO=TCP \
SPT=49265 DPT=80 WINDOW=65535 RES=0x00 \
ACK FIN URGP=0

Last edited by michaelsanford; 05-05-2005 at 09:55 PM.
 
Old 05-05-2005, 09:57 PM   #10
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
So, out of curiousity, how hard is it to set up userspace logging?
 
Old 05-05-2005, 10:08 PM   #11
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Original Poster
Rep: Reputation: 30
Depends which one you mean. If you use the LOG (i.e., sends to syslogd) then it's dead easy since it shows up in /var/log/syslog and has the added advantage of being rotated by cron.
EDIT You can also specify which data you want logged and a custom line header like "HTTP Request: ".

ULOG I haven't set up yet, but for me it has MANY more advantages over syslogd, most notably MySQL interaction which means easy rel-time interaction with remote hosts via web pages.

It seems that using ulogd makes it simple, though I've only installed it this afternoon; the config is quite similar to samba/syslogd.

I'm definitely going to go the ULOG route, so once I have it all done I'll write and post a HOW-TO (in fact, I'm writing a few how-tos during the course of this project to post here once I can confirm they're correct and work 'as advertised' after some real use).
 
Old 05-05-2005, 10:17 PM   #12
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Yeah, I was referring to ULOG. I've used the regular LOG for quite a while and find it, quite frankly, quite klutzy. I guess that's what I get for running syslogd on my firewall. I wish I'd known about metalog when I installed it. I guess I could convert over, but that seems a tad... awkward.
 
Old 05-05-2005, 10:37 PM   #13
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Original Poster
Rep: Reputation: 30
I would suggest ULOG because, like I said, it allows MySQL interaction that LOG/syslog doesn't, something that, for a gateway/router, is pretty useful but may be overkill for a home user--you decide

IMNSHO nothing's overkill on a Linux box.

GNUmonks.org ULOGd Project (ULOG userspace multicast handler)
http://gnumonks.org/gnumonks/project...details?p_id=1
 
Old 05-05-2005, 10:43 PM   #14
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
I agree, nothing's overkill. Besides, it's all fun. And high-volume logging is really more appropriate for ulog with an SQL backend.
 
Old 05-18-2005, 07:29 AM   #15
gjhicks
Member
 
Registered: Jun 2004
Location: Melbourne, Australia
Posts: 47

Rep: Reputation: 15
Hi there,

Have been trying to figure out how to log the internet access of my kids on our home lan that looks like this:

ADSL Modem/Router (includes harware firewall) --> eth0 --> Linux Server (providing NAT) --> eth1 --> local LAN (static IPs)

Lots of 'googling' and many blind alleys but (it seems) that this thread has a similar aim.

I am not very experienced at Linux but am prepared to learn. I have tried tcpdump, ethereal and a few others but, although I could trace the traffic between eth1 and the 'downstream' lan users, I could not get any info on the URLs being accessed.

Have you had any success in the use of log or ulog?

I would be very happy to get any assistance.

Regards,

Geoff.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up an internet gateway with web usage logging jcbeckettnz Linux - Newbie 7 05-03-2005 08:20 AM
Iptables logging Mogwa_ Linux - Security 2 08-01-2004 02:54 PM
Shorewall with ulog for logging to a diffrent file igbe Linux - Software 0 07-24-2004 04:06 PM
iptables general question blackzone Linux - Networking 1 07-23-2004 01:11 PM
Logging\Filtering Packets Through a Gateway ASP Linux - Software 2 10-21-2003 10:11 PM


All times are GMT -5. The time now is 09:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration