Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
05-05-2005, 11:48 AM
|
#1
|
Member
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468
Rep:
|
General gateway logging (and iptables ULOG) ?
I'm doing some advanced iptables logging using the ULOG target to save all connections to a table for later analysis.
I've never logged anything with iptables:
1. The jump directive (-j) is defined as "stop processing this rule and jump to this target", and since ULOG is a userspace process, does that mean the packet gets sent to ulogd and not passed on to the next chain, or is the packet copied to multicast? It makes sense for the latter to be the case.
2. If I want to log connections to, say, all external web sites, would this be a good rule?
Code:
iptables -t filter -A FORWARD -p tcp --dport 80 -o $WAN --ulog-prefix "HTTP " --ulog-qthreshold 50
My problem with this is that it will log every single packet on this gateway, and if I have heavy traffic, my log DB will quickly explode. How could I restrict this to say, connections instead of individual packets? I don't need to know that 192.168.1.20 used 1000 packets to download an image from a web site, merely that he visited that site, so one entry would do (per HTTP request obviously). Also I only need date, source and dest IPs (and ports if not matched by iptables).
The logging requirement I must meet is to "be able to match traffic to a single user".
Should I consider another (perhaps non-iptables) logging facility? I'm going to be adding squid to my gateway soon, should I look into logging at that point (that won't log things like ssh though will it?)
Last edited by michaelsanford; 05-05-2005 at 11:51 AM.
|
|
|
05-05-2005, 12:50 PM
|
#2
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
You could use SQUID to log websites. If you want to log just once per connection with iptables, you could add -m state --state NEW (IIRC) to the rule.
|
|
|
05-05-2005, 02:40 PM
|
#3
|
Member
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468
Original Poster
Rep:
|
I knew it would involve a match-state directive but I'm a little muddled in using that; match new seems correct to me though.
The general idea being that we want to be able to know what web sites people are hitting in case, say, they're accessing child porn, and also be able to identify break-in attempts on external servers originating from us.
I'm just afraid that the log file (mysql db) could blow up if there are 1000 people online at the same time, but this match should work all right, we've got a pretty beefy system.
Thanks!
|
|
|
05-05-2005, 02:49 PM
|
#4
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
Of course, all someone needs is an SSH tunnel to get around this, but well, you can't secure everything, can you? Besides, with an SSH tunnel, it comes back to the SSH server, not yours.
|
|
|
05-05-2005, 10:22 PM
|
#5
|
Member
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468
Original Poster
Rep:
|
Very true, but SSH tunnels are easy to write-off as "unloggable". I'll put it in my report nonetheless
|
|
|
05-05-2005, 10:27 PM
|
#6
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
Not to mention anonymizing SSL-secured proxies, etc, etc. But the point is... anything where a remote log would point to your system should be loggable.
|
|
|
05-05-2005, 10:35 PM
|
#7
|
Member
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468
Original Poster
Rep:
|
Good rule of thumb, so I guess it's squid and iptables logging.
So just to confirm, a -j ULOG / -j LOG directive logs the packet to userspace/syslogd, it doesn't move the packet to the logger and not forward it, right?
|
|
|
05-05-2005, 10:38 PM
|
#8
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
I understand it the same way. To log dropped packets, I believe you need identical rules with -j (U)LOG, -j DROP. (In that order, of course).
|
|
|
05-05-2005, 10:54 PM
|
#9
|
Member
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468
Original Poster
Rep:
|
Sounds good.Now that I think about it though, it's fairly easy to test -j ULOG all traffic from a LAN IP and see if it still works...and it does!
Sample:
Code:
root@gateway:/var/log# iptables -t filter -A FORWARD \
-p tcp -s 10.0.0.11 --dport 80 -j LOG
root@gateway:/var/log# cat syslog
May 5 22:52:10 gateway kernel: IN=wlan0 OUT=eth0 \
SRC=10.0.0.11 DST=128.30.52.34 LEN=52 TOS=0x00 \
PREC=0x00 TTL=63 ID=37917DF PROTO=TCP \
SPT=49265 DPT=80 WINDOW=65535 RES=0x00 \
ACK FIN URGP=0
Last edited by michaelsanford; 05-05-2005 at 10:55 PM.
|
|
|
05-05-2005, 10:57 PM
|
#10
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
So, out of curiousity, how hard is it to set up userspace logging?
|
|
|
05-05-2005, 11:08 PM
|
#11
|
Member
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468
Original Poster
Rep:
|
Depends which one you mean. If you use the LOG (i.e., sends to syslogd) then it's dead easy since it shows up in /var/log/syslog and has the added advantage of being rotated by cron.
EDIT You can also specify which data you want logged and a custom line header like "HTTP Request: ".
ULOG I haven't set up yet, but for me it has MANY more advantages over syslogd, most notably MySQL interaction which means easy rel-time interaction with remote hosts via web pages.
It seems that using ulogd makes it simple, though I've only installed it this afternoon; the config is quite similar to samba/syslogd.
I'm definitely going to go the ULOG route, so once I have it all done I'll write and post a HOW-TO (in fact, I'm writing a few how-tos during the course of this project to post here once I can confirm they're correct and work 'as advertised' after some real use).
|
|
|
05-05-2005, 11:17 PM
|
#12
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
Yeah, I was referring to ULOG. I've used the regular LOG for quite a while and find it, quite frankly, quite klutzy. I guess that's what I get for running syslogd on my firewall. I wish I'd known about metalog when I installed it. I guess I could convert over, but that seems a tad... awkward.
|
|
|
05-05-2005, 11:37 PM
|
#13
|
Member
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468
Original Poster
Rep:
|
I would suggest ULOG because, like I said, it allows MySQL interaction that LOG/syslog doesn't, something that, for a gateway/router, is pretty useful but may be overkill for a home user--you decide
IMNSHO nothing's overkill on a Linux box.
GNUmonks.org ULOGd Project (ULOG userspace multicast handler)
http://gnumonks.org/gnumonks/project...details?p_id=1
|
|
|
05-05-2005, 11:43 PM
|
#14
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
I agree, nothing's overkill. Besides, it's all fun. And high-volume logging is really more appropriate for ulog with an SQL backend.
|
|
|
05-18-2005, 08:29 AM
|
#15
|
Member
Registered: Jun 2004
Location: Melbourne, Australia
Posts: 47
Rep:
|
Hi there,
Have been trying to figure out how to log the internet access of my kids on our home lan that looks like this:
ADSL Modem/Router (includes harware firewall) --> eth0 --> Linux Server (providing NAT) --> eth1 --> local LAN (static IPs)
Lots of 'googling' and many blind alleys but (it seems) that this thread has a similar aim.
I am not very experienced at Linux but am prepared to learn. I have tried tcpdump, ethereal and a few others but, although I could trace the traffic between eth1 and the 'downstream' lan users, I could not get any info on the URLs being accessed.
Have you had any success in the use of log or ulog?
I would be very happy to get any assistance.
Regards,
Geoff.
|
|
|
All times are GMT -5. The time now is 12:29 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|