LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-18-2013, 09:34 PM   #1
sec_tech
LQ Newbie
 
Registered: Feb 2013
Posts: 5

Rep: Reputation: Disabled
iptable log mac address not showing


Hi, I need the mac address of the originating request of out going packets. Im not sure if im missing something or maybe debian squeeze does not have this functionality? But here is my iptable command and im logging ALL NEW requests out-going (INFO) on eth0
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -j LOG --log-level 6
iptables -A OUTPUT -o eth0 -p udp -m state --state NEW -j LOG --log-level 6

Feb 18 22:17:32 my-debian kernel: [50421.784255] IN= OUT=eth0 SRC=1.1.1.1 DST=2.2.2.2 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=13743 PROTO=UDP SPT=1765 DPT=53 LEN=61

Thanks!!

Last edited by sec_tech; 02-18-2013 at 09:36 PM.
 
Old 02-19-2013, 03:16 AM   #2
wadhah102
LQ Newbie
 
Registered: Apr 2011
Location: Tunis, Tunisia
Distribution: Ubuntu/Debian/CentOS
Posts: 14

Rep: Reputation: 0
Hi, i cant understand your question
when you use
Quote:
-o eth0
then all packets have this mac address

can you explain to me more?


Best regard
 
Old 02-19-2013, 07:13 AM   #3
sec_tech
LQ Newbie
 
Registered: Feb 2013
Posts: 5

Original Poster
Rep: Reputation: Disabled
-o eth0

I have this defined so I only am logging OUTgoing traffic...but i still need the source mac from my internal network devices. so this debian box is a router..im logging all out going traffic on eth0(external facing nic) eth1 is internal to my network. I dont care about my internal traffic or traffic coming in, just the traffic going out to the internet.
Thanks!
 
Old 02-19-2013, 08:49 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
On the LAN-side, the routers ingress device, new connections not destined for the LAN equals egress traffic, right?
 
Old 02-19-2013, 08:56 AM   #5
wadhah102
LQ Newbie
 
Registered: Apr 2011
Location: Tunis, Tunisia
Distribution: Ubuntu/Debian/CentOS
Posts: 14

Rep: Reputation: 0
Hi,

Quote:
i still need the source mac from my internal network devices
When you want to know which mac address from your LAN, you should logging all trafic from your internal network and in this case it's eth1.

Quote:
iptables -A INPUT -i eth1 -j LOG --log-level 7 --log-prefix 'Source MAC ADDRES'
Note that the file /var/log/kern.log contain the MAC address that you want and becareful about the syntaxe of the MAC:

MAC=Address_MAC_ETH1:Addresse_MAC_Source_From_LAN:08:00

Best Regards
 
Old 02-20-2013, 12:33 AM   #6
sec_tech
LQ Newbie
 
Registered: Feb 2013
Posts: 5

Original Poster
Rep: Reputation: Disabled
I can grab the address, but its my router..and using forward vs input. So here is the scenario and why i posted in security.
I have a multi nic debian server at home. I am using as a firewall and using iptables. eth0 on this server is my outside interface. eth1 internal network( router attached). the problem I am running into is, Im only seeing the router MAC and the eth1/eth0 mac. I need the originating request mac. So my laptop/tablets/phones/desktops..etc. but those are all attached to my router. which is behind the fw. So is this possible? Should I use some packet inspection instead? I REALLY REALLY do not want to rely on snort or shorewall or some other software. Thanks!
 
Old 02-20-2013, 09:04 AM   #7
wadhah102
LQ Newbie
 
Registered: Apr 2011
Location: Tunis, Tunisia
Distribution: Ubuntu/Debian/CentOS
Posts: 14

Rep: Reputation: 0
Hi,
When you use a router between firewall and your client(laptop/tablets/phones/desktops), you can see just the MAC router... and this the prosperity of the ethernet protocol HDLC and also the router limit the collision domain

Best Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
proftp log MAC address? qrange Linux - Security 4 03-11-2011 07:46 AM
how to make a log of each ip and mac address atomic.rabbit Linux - Networking 7 02-12-2009 02:40 AM
will tinyproxy or Dansguardian log mac address gfem Linux - Software 2 02-26-2007 06:55 PM
mac address log lyte Linux - Security 2 12-10-2004 09:14 PM
How would i log the source MAC address w/ iptables? phek Linux - Security 12 12-14-2001 12:18 PM


All times are GMT -5. The time now is 06:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration