Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I'm doing some advanced iptables logging using the ULOG target to save all connections to a table for later analysis.
I've never logged anything with iptables:
1. The jump directive (-j) is defined as "stop processing this rule and jump to this target", and since ULOG is a userspace process, does that mean the packet gets sent to ulogd and not passed on to the next chain, or is the packet copied to multicast? It makes sense for the latter to be the case.
2. If I want to log connections to, say, all external web sites, would this be a good rule?
My problem with this is that it will log every single packet on this gateway, and if I have heavy traffic, my log DB will quickly explode. How could I restrict this to say, connections instead of individual packets? I don't need to know that 192.168.1.20 used 1000 packets to download an image from a web site, merely that he visited that site, so one entry would do (per HTTP request obviously). Also I only need date, source and dest IPs (and ports if not matched by iptables).
The logging requirement I must meet is to "be able to match traffic to a single user".
Should I consider another (perhaps non-iptables) logging facility? I'm going to be adding squid to my gateway soon, should I look into logging at that point (that won't log things like ssh though will it?)
Last edited by michaelsanford; 05-05-2005 at 11:51 AM.
I knew it would involve a match-state directive but I'm a little muddled in using that; match new seems correct to me though.
The general idea being that we want to be able to know what web sites people are hitting in case, say, they're accessing child porn, and also be able to identify break-in attempts on external servers originating from us.
I'm just afraid that the log file (mysql db) could blow up if there are 1000 people online at the same time, but this match should work all right, we've got a pretty beefy system.
Depends which one you mean. If you use the LOG (i.e., sends to syslogd) then it's dead easy since it shows up in /var/log/syslog and has the added advantage of being rotated by cron.
EDIT You can also specify which data you want logged and a custom line header like "HTTP Request: ".
ULOG I haven't set up yet, but for me it has MANY more advantages over syslogd, most notably MySQL interaction which means easy rel-time interaction with remote hosts via web pages.
It seems that using ulogd makes it simple, though I've only installed it this afternoon; the config is quite similar to samba/syslogd.
I'm definitely going to go the ULOG route, so once I have it all done I'll write and post a HOW-TO (in fact, I'm writing a few how-tos during the course of this project to post here once I can confirm they're correct and work 'as advertised' after some real use).
Yeah, I was referring to ULOG. I've used the regular LOG for quite a while and find it, quite frankly, quite klutzy. I guess that's what I get for running syslogd on my firewall. I wish I'd known about metalog when I installed it. I guess I could convert over, but that seems a tad... awkward.
Have been trying to figure out how to log the internet access of my kids on our home lan that looks like this:
ADSL Modem/Router (includes harware firewall) --> eth0 --> Linux Server (providing NAT) --> eth1 --> local LAN (static IPs)
Lots of 'googling' and many blind alleys but (it seems) that this thread has a similar aim.
I am not very experienced at Linux but am prepared to learn. I have tried tcpdump, ethereal and a few others but, although I could trace the traffic between eth1 and the 'downstream' lan users, I could not get any info on the URLs being accessed.
Have you had any success in the use of log or ulog?