Hello all, I need some guidance with iptables and need to know your best take on this and if this is even possible. Here is a brief summary of what I am trying to accomplish. We have a proxy server that services our entire organization using squid in conjunction with websense. We are planning on turning on iptables to restrict traffic flow from our internal hosts to only allow them to go back and not be able to browse internal hosts since we have noticed our internal webservers can be hit by clients using the proxy. One idea proposed was to turn on iptables in a passive state to just log so we came up with the following script to just log:
Code:
#!/bin/bash
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
# Default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "INPUT LOG" --log-ip-options --log-tcp-options
# Default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "OUTPUT LOG" --log-ip-options --log-tcp-options
This accomplished what we wanted but the final goal of passively logging was to run it through some Perl munging to parse out:
a. source of host connecting to proxy on 3128
b. the destination the host connecting to the proxy was headed (internal/external).
c. We also wanted to know what ports this connecting host was connecting to internal or external.
Once we munged all the logs we would open up the required access only for the proxy to talk to the essential servers internal that it needed access to and block all remaining internal bound connections and only allow outbound connections to 80/443.
The issue occurs when we took a look at what we were logging:
Code:
Nov 13 11:07:13 proxy kernel: INPUT LOGIN=eth0 OUT= MAC=00:00:00:00:00 SRC=68.55.16.30 DST=192.168.1.20 LEN=144 TOS=0x00 PREC=0x00 TTL=243 ID=43793 DF PROTO=TCP SPT=80 DPT=55264 WINDOW=10109 RES=0x00 ACK PSH URGP=0 OPT (010100AEE4C5D134)
Nov 13 11:07:13 proxy kernel: OUTPUT LOGIN= OUT=eth0 SRC=192.168.1.20 DST=68.55.16.30 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6226 DF PROTO=TCP SPT=55264 DPT=80 WINDOW=8984 RES=0x00 ACK URGP=0 OPT (0101080AF172F192EE4C5D27)
Nov 13 11:07:13 proxy kernel: OUTPUT LOGIN= OUT=eth0 SRC=192.168.1.20 DST=192.168.30.107 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=56999 DF PROTO=TCP SPT=2028 DPT=2886 WINDOW=8576 RES=0x00 ACK URGP=0
Nov 13 11:07:13 proxy kernel: INPUT LOGIN=eth0 OUT= MAC=00:00:00:00:00 SRC=66.66.166.149 DST=192.168.1.20 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=46577 PROTO=TCP SPT=80 DPT=55204 WINDOW=3840 RES=0x00 RST URGP=0
Nov 13 11:07:13 proxy kernel: INPUT LOGIN=eth0 OUT= MAC=00:00:00:00:00 SRC=192.168.72.207 DST=192.168.1.20 LEN=76 TOS=0x00 PREC=0x00 TTL=126 ID=39120 DF PROTO=TCP SPT=1097 DPT=2028 WINDOW=63856 RES=0x00 ACK PSH URGP=0
Nov 13 11:07:13 proxy kernel: OUTPUT LOGIN= OUT=eth0 SRC=192.168.1.20 DST=192.168.20.128 LEN=1420 TOS=0x00 PREC=0x00 TTL=64 ID=38202 DF PROTO=TCP SPT=32918 DPT=55805 WINDOW=1460 RES=0x00 ACK URGP=0 OPT (01000BFEACE)
Nov 13 11:07:13 proxy kernel: OUTPUT LOGIN= OUT=eth0 SRC=192.168.1.20 DST=192.168.49.207 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=44003 DF PROTO=TCP SPT=2028 DPT=1097 WINDOW=17940 RES=0x00 ACK URGP=0
Nov 13 11:07:13 proxy kernel: OUTPUT LOGIN= OUT=eth0 SRC=192.168.1.20 DST=66.66.4.200 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=55775 DF PROTO=TCP SPT=47468 DPT=443 WINDOW=32767 RES=0x00 ACK PSH URGP=0
Nov 13 11:07:13 proxy kernel: INPUT LOGIN=eth0 OUT= MAC=00:00:00:00:00 SRC=192.168.20.128 DST=192.168.1.20 LEN=52 TOS=0x00 PREC=0x00 TTL=125 ID=30681 DF PROTO=TCP SPT=55805 DPT=32918 WINDOW=65535 RES=0x00 ACK URGP=0 OPT (01010CFF172F0E1)
Nov 13 11:07:13 proxy kernel: OUTPUT LOGIN= OUT=eth0 SRC=192.168.1.20 DST=192.168.3.128 LEN=988 TOS=0x00 PREC=0x00 TTL=64 ID=38204 DF PROTO=TCP SPT=32918 DPT=55805 WINDOW=1460 RES=0x00 ACK PSH URGP=0 OPT (0101080AF1FEACF)
From the data we obtained above I am confused on how I can gather the host who originated the connection to the proxy, and where the user went. Ex: Client (192.168.3.40) -> Proxy (192.168.1.20) -> connected to
www.google.com. Can this be done archieved through a single line of iptables logging?
My ideal output would be something like this:
Nov 13 11:07:13 proxy kernel: OUTPUT LOGIN=
IN=eth0 SRC=192.168.3.4 (Client) DST=192.168.1.20 (Proxy)
Somehow track the connection made by proxy by client to
www.somehost.com
LEN=988 TOS=0x00 PREC=0x00 TTL=64 ID=38204 DF PROTO=TCP SPT=32918 DPT=55805 WINDOW=1460 RES=0x00 ACK PSH URGP=0 OPT (0101080AF1FEACF)
Thanks for any input.
