Hi

I would like to do the following and hope some can give some advice.

- Log any new incoming traffic on two known ports on my system.
- I only need the ip address that connects, no more info is needed.
- I don't need to know how often, so no duplicates of a single ip address is needed.
Meaning - If it's already logged, don't bother log it again. Hence the "new" in the first line here.
- Ignore (don't log) a list of "known" ip addresses

Is this possible? (The duplicate and known list stuff...)

I think I need to set up my own chain and build the rules in it, then apply it like this :
(where LOGNEW is my chain)

The reason is to monitor traffic to these two ports, if any, from others then the ip's on the known list.
I know I should just allow traffic in from the known list and block the rest, but they are on dhcp so...

Even just a hint in the right direction here would be very nice.

Thank you

You really don't have much control over this, you can look into ulogd to send the logs to a different file or database via -j ULOG target.
Probably the best way to do this is to log only new connections to the port. This will not prevent multiple logs per IP but it will limit it by only recording one log per session. You could always do some post-processing of your logs if you want to remove duplicates, look into the 'uniq' command for that.

This can be easy to accomplish if the list of "known" ip's are in an easy to define range. Otherwise this will require multiple rules, one per ip.

So for example, if you want to log new connections to ports 21 and 22 but allow known IP's in the range 1.2.3.0-1.2.3.255 to pass through unlogged I would do something like this.

iptables -N LOGNEW
iptables -A INPUT -i $WAN_IF -p tcp -m state --state NEW -m multiport --dports 21,22 -j LOGNEW
iptables -A LOGNEW -m iprange --src-range 1.2.3.0-1.2.3.255 -j RETURN
iptables -A LOGNEW -j ULOG --ulog-prefix "[LOGNEW] "

Note that $WAN_IF is a placeholder for whatever interface you want to do the logging on.