I built a server application that needs to implement a lawful interception system. (When I say lawful interception, I mean just simple logging of what user accessed). I opted for ULOG extension and write in a database the log results. My iptables' rule that did this is something like:
iptables -I POSTROUTING -m state --state NEW -o eth0 -s 10.0.0.0/24 -j ULOG --ulog-cprange 100 -t nat
From ULOG man pages I now that it has only four options that aren't related to log level: --ulog-nlgroup, --ulog-prefix, --ulog-cprange and --ulog-qthreshold. I would like to put some options on that rule so that some redundant data won't be logged in database anymore. Bellow I explain my issue:
In my table I have:
Code:
user_ip | destination_ip | length |protocol | src_port |dst_port |
10.3.1.10 | 173.194.70.149 | 60 | 6 | 38486 | 80 |
10.3.1.10 | 173.194.70.149 | 60 | 6 | 38487 | 80 |
10.3.1.10 | 173.194.70.149 | 60 | 6 | 38488 | 80 |
As you can see, the user_ip and destination_ip is the same in all three situations. Only the port from what the request is done differs. I put in my rule --state NEW option for avoiding to log many times the same thing. In above scenario it seems that the same connection is did on three different ports in the beginning. (Probably due to the TCP/IP, but in the case of UDP there are also other issues).
Question: Can anyone help me on eliminating that redundant data?
In the case of UDP protocol for example, there is no src_port, no dst_port specified, and the same tuple is logged for many times in the database. (Of course there are some other fields that differs like request time, but I didn't printed above for the sake of simplicity.) If you want an extract for UDP, just tell me.
I would like to eliminate the redundant data for the fact that there can be situations when this server can be used for thousands or ten thousands of users, and in this case, eliminating this redundant data would increase performance for different tasks.