I'm doing some advanced iptables logging using the ULOG target to save all connections to a table for later analysis.

I've never logged anything with iptables:
1. The jump directive (-j) is defined as "stop processing this rule and jump to this target", and since ULOG is a userspace process, does that mean the packet gets sent to ulogd and not passed on to the next chain, or is the packet copied to multicast? It makes sense for the latter to be the case.

2. If I want to log connections to, say, all external web sites, would this be a good rule?
My problem with this is that it will log every single packet on this gateway, and if I have heavy traffic, my log DB will quickly explode. How could I restrict this to say, connections instead of individual packets? I don't need to know that 192.168.1.20 used 1000 packets to download an image from a web site, merely that he visited that site, so one entry would do (per HTTP request obviously). Also I only need date, source and dest IPs (and ports if not matched by iptables).

The logging requirement I must meet is to "be able to match traffic to a single user".

Should I consider another (perhaps non-iptables) logging facility? I'm going to be adding squid to my gateway soon, should I look into logging at that point (that won't log things like ssh though will it?)

You could use SQUID to log websites. If you want to log just once per connection with iptables, you could add -m state --state NEW (IIRC) to the rule.

I knew it would involve a match-state directive but I'm a little muddled in using that; match new seems correct to me though.

The general idea being that we want to be able to know what web sites people are hitting in case, say, they're accessing child porn, and also be able to identify break-in attempts on external servers originating from us.

I'm just afraid that the log file (mysql db) could blow up if there are 1000 people online at the same time, but this match should work all right, we've got a pretty beefy system.

Thanks!

Of course, all someone needs is an SSH tunnel to get around this, but well, you can't secure everything, can you? Besides, with an SSH tunnel, it comes back to the SSH server, not yours.

Very true, but SSH tunnels are easy to write-off as "unloggable". I'll put it in my report nonetheless

Not to mention anonymizing SSL-secured proxies, etc, etc. But the point is... anything where a remote log would point to your system should be loggable.

Good rule of thumb, so I guess it's squid and iptables logging.

So just to confirm, a -j ULOG / -j LOG directive logs the packet to userspace/syslogd, it doesn't move the packet to the logger and not forward it, right?

I understand it the same way. To log dropped packets, I believe you need identical rules with -j (U)LOG, -j DROP. (In that order, of course).

Sounds good.Now that I think about it though, it's fairly easy to test -j ULOG all traffic from a LAN IP and see if it still works...and it does!

Sample:

So, out of curiousity, how hard is it to set up userspace logging?

Depends which one you mean. If you use the LOG (i.e., sends to syslogd) then it's dead easy since it shows up in /var/log/syslog and has the added advantage of being rotated by cron.
EDIT You can also specify which data you want logged and a custom line header like "HTTP Request: ".

ULOG I haven't set up yet, but for me it has MANY more advantages over syslogd, most notably MySQL interaction which means easy rel-time interaction with remote hosts via web pages.

It seems that using ulogd makes it simple, though I've only installed it this afternoon; the config is quite similar to samba/syslogd.

I'm definitely going to go the ULOG route, so once I have it all done I'll write and post a HOW-TO (in fact, I'm writing a few how-tos during the course of this project to post here once I can confirm they're correct and work 'as advertised' after some real use).

Yeah, I was referring to ULOG. I've used the regular LOG for quite a while and find it, quite frankly, quite klutzy. I guess that's what I get for running syslogd on my firewall. I wish I'd known about metalog when I installed it. I guess I could convert over, but that seems a tad... awkward.

I would suggest ULOG because, like I said, it allows MySQL interaction that LOG/syslog doesn't, something that, for a gateway/router, is pretty useful but may be overkill for a home user--you decide

IMNSHO nothing's overkill on a Linux box.

GNUmonks.org ULOGd Project (ULOG userspace multicast handler)
http://gnumonks.org/gnumonks/project...details?p_id=1

I agree, nothing's overkill. Besides, it's all fun. And high-volume logging is really more appropriate for ulog with an SQL backend.

Hi there,

Have been trying to figure out how to log the internet access of my kids on our home lan that looks like this:

ADSL Modem/Router (includes harware firewall) --> eth0 --> Linux Server (providing NAT) --> eth1 --> local LAN (static IPs)

Lots of 'googling' and many blind alleys but (it seems) that this thread has a similar aim.

I am not very experienced at Linux but am prepared to learn. I have tried tcpdump, ethereal and a few others but, although I could trace the traffic between eth1 and the 'downstream' lan users, I could not get any info on the URLs being accessed.

Have you had any success in the use of log or ulog?

I would be very happy to get any assistance.

Regards,

Geoff.