LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPTABLES log to file any input traffic (https://www.linuxquestions.org/questions/linux-security-4/iptables-log-to-file-any-input-traffic-4175654535/)

mackowiakp 05-24-2019 01:12 PM
IPTABLES log to file any input traffic
 
I want to do some kind of "gofencing". That is if my phone with WiFi turn on will be in range of my home WiFi network and will generate any traffic to my Raspberry Pi (Ubuntu 14.04 32 bit), I want to log this traffic to file other than /var/log/something. For me important is that it could be any traffic (UDP or TCP) and such solution must recognise such traffic by MAC address of phone not by IP address because even DHCP broadcast must be logged.
Take care, that I im not interested in any particular traffic or protocol or packet but I want to catch of any possible traffic.
Be so kind to help me to resolve that problem.

tyler2016 05-28-2019 05:21 AM
In an appropriate spot in your rules file:

Code:
-A INPUT -j LOG

mackowiakp 05-28-2019 06:50 AM
I try something like this:

Code:
iptables -A INPUT -i eth0 -m mac --mac-source 90:b6:86:38:46:fa -j LOG --log-prefix "Note4"
But this is RPi. So because of lifespan of SD card, there is no (r)syslog running. So nothing is logged

RickDeckard 05-28-2019 06:52 PM
Have you tried ulogd? It should work if rsyslog is unavailable, but you'll have to go through some added configuration.

mackowiakp 05-30-2019 01:09 AM
Physically I have (r)syslog installed but daemon is disabled because it writes to file /var/log/something so it reduce dramatically lifespan of SD card. I enable syslog if necessary only. The same situation is with ulogd. Still writing to SD card located file not to stdout. My goal is to analyse logs line by line not write it to file. Except temporary file located in RAM shared memory.

astrogeek 05-30-2019 02:02 AM
Use ulogd and write output to a named pipe which your analysis application uses for input.

mackowiakp 05-31-2019 05:09 AM
Named pipe - sounds good. But it is still writing to file. As I mentioned, all system is located on SD card so placeig such file on SD reduce its lifespan. The solution is write it to RAM. But RAM has limited size. So is it possible to write such logs line by line to file in that way that new line overwrite older one? I am not interesting in details of logs but only in presence of such one "catch" by iptables log rule.

tyler2016 05-31-2019 05:24 AM
Code:
iptables -L -nv
This will show you the number of packets netfilter has applied your rules to.

mackowiakp 05-31-2019 11:42 AM
Quote:
Originally Posted by tyler2016 (Post 6000695)
Code:
iptables -L -nv
This will show you the number of packets netfilter has applied your rules to.
OK. But as I understand this syntax, it shows number of packets netfilter has applied rules to taken from log file. So log file still exist as I understand. I want to avoid to create any huge file in RAM. Such file should contain only the last line of logs, does not matter what it consist. I am only interested in this that any packet defined bu iptabes rule was registered or not. Is it possible?

astrogeek 05-31-2019 02:23 PM
Quote:
Originally Posted by mackowiakp (Post 6000684)
Named pipe - sounds good. But it is still writing to file. As I mentioned, all system is located on SD card so placeig such file on SD reduce its lifespan. The solution is write it to RAM. But RAM has limited size. So is it possible to write such logs line by line to file in that way that new line overwrite older one? I am not interesting in details of logs but only in presence of such one "catch" by iptables log rule.
No, the very first paragraph from man fifo:

Code:
      A  FIFO  special  file  (a  named  pipe) is similar to a pipe, except that it is accessed as part of the
      filesystem.  It can be opened by multiple processes for reading or writing.  When processes are exchang‐
      ing  data  via  the  FIFO,  the  kernel passes all data internally without writing it to the filesystem.
      Thus, the FIFO special file has no contents on the filesystem; the filesystem entry merely serves  as  a
      reference point so that processes can access the pipe using a name in the filesystem.
Quote:
Originally Posted by tyler2016 (Post 6000695)
Code:
iptables -L -nv
This will show you the number of packets netfilter has applied your rules to.
Quote:
Originally Posted by mackowiakp (Post 6000780)
OK. But as I understand this syntax, it shows number of packets netfilter has applied rules to taken from log file.
Again, no. The counters are maintained as part of the rule structure in kernel space, not in a file.

If you are going to ask for help, please at least seriously consider the replies offered.

Quote:
Originally Posted by mackowiakp (Post 6000780)
I am only interested in this that any packet defined bu iptabes rule was registered or not.

Note: This is quite different from the previously stated goal...
"My goal is to analyse logs line by line not write it to file."
Then most definitely use iptables ... -v, how many packets matched the rule is exactly what the counters tell you.

Again, man iptables.


All times are GMT -5. The time now is 10:59 PM.