LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-24-2019, 01:12 PM   #1
mackowiakp
Member
 
Registered: Jun 2014
Location: Poland/Gdynia
Distribution: Mageia 7, SH4, Debian
Posts: 196

Rep: Reputation: 5
IPTABLES log to file any input traffic


I want to do some kind of "gofencing". That is if my phone with WiFi turn on will be in range of my home WiFi network and will generate any traffic to my Raspberry Pi (Ubuntu 14.04 32 bit), I want to log this traffic to file other than /var/log/something. For me important is that it could be any traffic (UDP or TCP) and such solution must recognise such traffic by MAC address of phone not by IP address because even DHCP broadcast must be logged.
Take care, that I im not interested in any particular traffic or protocol or packet but I want to catch of any possible traffic.
Be so kind to help me to resolve that problem.
 
Old 05-28-2019, 05:21 AM   #2
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 233

Rep: Reputation: Disabled
In an appropriate spot in your rules file:

Code:
-A INPUT -j LOG
 
Old 05-28-2019, 06:50 AM   #3
mackowiakp
Member
 
Registered: Jun 2014
Location: Poland/Gdynia
Distribution: Mageia 7, SH4, Debian
Posts: 196

Original Poster
Rep: Reputation: 5
I try something like this:

Code:
iptables -A INPUT -i eth0 -m mac --mac-source 90:b6:86:38:46:fa -j LOG --log-prefix "Note4"
But this is RPi. So because of lifespan of SD card, there is no (r)syslog running. So nothing is logged
 
Old 05-28-2019, 06:52 PM   #4
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 160

Rep: Reputation: Disabled
Have you tried ulogd? It should work if rsyslog is unavailable, but you'll have to go through some added configuration.
 
Old 05-30-2019, 01:09 AM   #5
mackowiakp
Member
 
Registered: Jun 2014
Location: Poland/Gdynia
Distribution: Mageia 7, SH4, Debian
Posts: 196

Original Poster
Rep: Reputation: 5
Physically I have (r)syslog installed but daemon is disabled because it writes to file /var/log/something so it reduce dramatically lifespan of SD card. I enable syslog if necessary only. The same situation is with ulogd. Still writing to SD card located file not to stdout. My goal is to analyse logs line by line not write it to file. Except temporary file located in RAM shared memory.
 
Old 05-30-2019, 02:02 AM   #6
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_12{.0|.1}
Posts: 5,226
Blog Entries: 11

Rep: Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176
Use ulogd and write output to a named pipe which your analysis application uses for input.
 
Old 05-31-2019, 05:09 AM   #7
mackowiakp
Member
 
Registered: Jun 2014
Location: Poland/Gdynia
Distribution: Mageia 7, SH4, Debian
Posts: 196

Original Poster
Rep: Reputation: 5
Named pipe - sounds good. But it is still writing to file. As I mentioned, all system is located on SD card so placeig such file on SD reduce its lifespan. The solution is write it to RAM. But RAM has limited size. So is it possible to write such logs line by line to file in that way that new line overwrite older one? I am not interesting in details of logs but only in presence of such one "catch" by iptables log rule.
 
Old 05-31-2019, 05:24 AM   #8
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 233

Rep: Reputation: Disabled
Code:
iptables -L -nv
This will show you the number of packets netfilter has applied your rules to.

Last edited by tyler2016; 05-31-2019 at 05:29 AM.
 
Old 05-31-2019, 11:42 AM   #9
mackowiakp
Member
 
Registered: Jun 2014
Location: Poland/Gdynia
Distribution: Mageia 7, SH4, Debian
Posts: 196

Original Poster
Rep: Reputation: 5
Quote:
Originally Posted by tyler2016 View Post
Code:
iptables -L -nv
This will show you the number of packets netfilter has applied your rules to.
OK. But as I understand this syntax, it shows number of packets netfilter has applied rules to taken from log file. So log file still exist as I understand. I want to avoid to create any huge file in RAM. Such file should contain only the last line of logs, does not matter what it consist. I am only interested in this that any packet defined bu iptabes rule was registered or not. Is it possible?
 
Old 05-31-2019, 02:23 PM   #10
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_12{.0|.1}
Posts: 5,226
Blog Entries: 11

Rep: Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176Reputation: 3176
Quote:
Originally Posted by mackowiakp View Post
Named pipe - sounds good. But it is still writing to file. As I mentioned, all system is located on SD card so placeig such file on SD reduce its lifespan. The solution is write it to RAM. But RAM has limited size. So is it possible to write such logs line by line to file in that way that new line overwrite older one? I am not interesting in details of logs but only in presence of such one "catch" by iptables log rule.
No, the very first paragraph from man fifo:

Code:
       A  FIFO  special  file  (a  named  pipe) is similar to a pipe, except that it is accessed as part of the
       filesystem.  It can be opened by multiple processes for reading or writing.  When processes are exchang‐
       ing  data  via  the  FIFO,  the  kernel passes all data internally without writing it to the filesystem.
       Thus, the FIFO special file has no contents on the filesystem; the filesystem entry merely serves  as  a
       reference point so that processes can access the pipe using a name in the filesystem.
Quote:
Originally Posted by tyler2016 View Post
Code:
iptables -L -nv
This will show you the number of packets netfilter has applied your rules to.
Quote:
Originally Posted by mackowiakp View Post
OK. But as I understand this syntax, it shows number of packets netfilter has applied rules to taken from log file.
Again, no. The counters are maintained as part of the rule structure in kernel space, not in a file.

If you are going to ask for help, please at least seriously consider the replies offered.

Quote:
Originally Posted by mackowiakp View Post
I am only interested in this that any packet defined bu iptabes rule was registered or not.

Note: This is quite different from the previously stated goal...
"My goal is to analyse logs line by line not write it to file."
Then most definitely use iptables ... -v, how many packets matched the rule is exactly what the counters tell you.

Again, man iptables.

Last edited by astrogeek; 05-31-2019 at 02:50 PM. Reason: Added quote, counter recommend
 
1 members found this post helpful.
  


Reply

Tags
iptables, log files, traffic


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to log internal-sftp chroot jailed users access log to /var/log/sftp.log file LittleMaster Linux - Server 0 09-04-2018 03:45 PM
Why is syslog-ng not recording any log events in /var/log/syslog.log ToffeeYogurtPots Linux - Software 3 05-31-2018 02:15 PM
[SOLVED] Write a shell script that receives a word, an input file and an output file. The scripts copies all the lines in the input file that contain mandy2112 Linux - Newbie 3 08-18-2016 10:11 AM
[SOLVED] iptables troubleshooting icmp and best place to log /var/log/messages or /var/log/iptables JockVSJock Linux - Security 18 02-12-2016 12:31 AM
Repeated "input: AT Translated Set 2 keyboard as /class/input/input" messages AcerKev Mandriva 2 09-16-2007 08:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration