Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm doing some advanced iptables logging using the ULOG target to save all connections to a table for later analysis.
I've never logged anything with iptables:
1. The jump directive (-j) is defined as "stop processing this rule and jump to this target", and since ULOG is a userspace process, does that mean the packet gets sent to ulogd and not passed on to the next chain, or is the packet copied to multicast? It makes sense for the latter to be the case.
2. If I want to log connections to, say, all external web sites, would this be a good rule?
My problem with this is that it will log every single packet on this gateway, and if I have heavy traffic, my log DB will quickly explode. How could I restrict this to say, connections instead of individual packets? I don't need to know that 192.168.1.20 used 1000 packets to download an image from a web site, merely that he visited that site, so one entry would do (per HTTP request obviously). Also I only need date, source and dest IPs (and ports if not matched by iptables).
The logging requirement I must meet is to "be able to match traffic to a single user".
Should I consider another (perhaps non-iptables) logging facility? I'm going to be adding squid to my gateway soon, should I look into logging at that point (that won't log things like ssh though will it?)
Last edited by michaelsanford; 05-05-2005 at 10:51 AM.
I knew it would involve a match-state directive but I'm a little muddled in using that; match new seems correct to me though.
The general idea being that we want to be able to know what web sites people are hitting in case, say, they're accessing child porn, and also be able to identify break-in attempts on external servers originating from us.
I'm just afraid that the log file (mysql db) could blow up if there are 1000 people online at the same time, but this match should work all right, we've got a pretty beefy system.
Of course, all someone needs is an SSH tunnel to get around this, but well, you can't secure everything, can you? Besides, with an SSH tunnel, it comes back to the SSH server, not yours.
Not to mention anonymizing SSL-secured proxies, etc, etc. But the point is... anything where a remote log would point to your system should be loggable.
Good rule of thumb, so I guess it's squid and iptables logging.
So just to confirm, a -j ULOG / -j LOG directive logs the packet to userspace/syslogd, it doesn't move the packet to the logger and not forward it, right?
Depends which one you mean. If you use the LOG (i.e., sends to syslogd) then it's dead easy since it shows up in /var/log/syslog and has the added advantage of being rotated by cron.
EDIT You can also specify which data you want logged and a custom line header like "HTTP Request: ".
ULOG I haven't set up yet, but for me it has MANY more advantages over syslogd, most notably MySQL interaction which means easy rel-time interaction with remote hosts via web pages.
It seems that using ulogd makes it simple, though I've only installed it this afternoon; the config is quite similar to samba/syslogd.
I'm definitely going to go the ULOG route, so once I have it all done I'll write and post a HOW-TO (in fact, I'm writing a few how-tos during the course of this project to post here once I can confirm they're correct and work 'as advertised' after some real use).
Yeah, I was referring to ULOG. I've used the regular LOG for quite a while and find it, quite frankly, quite klutzy. I guess that's what I get for running syslogd on my firewall. I wish I'd known about metalog when I installed it. I guess I could convert over, but that seems a tad... awkward.
I would suggest ULOG because, like I said, it allows MySQL interaction that LOG/syslog doesn't, something that, for a gateway/router, is pretty useful but may be overkill for a home user--you decide
Have been trying to figure out how to log the internet access of my kids on our home lan that looks like this:
ADSL Modem/Router (includes harware firewall) --> eth0 --> Linux Server (providing NAT) --> eth1 --> local LAN (static IPs)
Lots of 'googling' and many blind alleys but (it seems) that this thread has a similar aim.
I am not very experienced at Linux but am prepared to learn. I have tried tcpdump, ethereal and a few others but, although I could trace the traffic between eth1 and the 'downstream' lan users, I could not get any info on the URLs being accessed.
Have you had any success in the use of log or ulog?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.