Log every package incoming and outcoming.

Log every package incoming and outcoming.

[Thomas Kristensen]

How can i log every package coming on INPUT, OUTPUT and FORWARD chains.

I want to log every package to lateron collect the data and make stats
over the use from every ip inside the firewall. The reason why i need to
log, is i need to check every ip to se if its inside denmark, or outside
denmark (i got the list for dk ips).

i dont want a full system setup, i just need somekind og modul for
iptables, or a conf for iptables to log every thing.
The problem is if i set a rule, iptables will stop at a matching rule, and
therefor i cant set a log rule in the end for alle chains.


Any ideas?


----------------------------------------------
DarkNet Webmail -http://webmail.darknet.dk

Re: Log every package incoming and outcoming.

[Nick Drage]

On Fri, Aug 20, 2004 at 12:32:24PM +0200, Thomas Kristensen wrote:

> i dont want a full system setup, i just need somekind og modul for
> iptables, or a conf for iptables to log every thing.
> The problem is if i set a rule, iptables will stop at a matching rule, and
> therefor i cant set a log rule in the end for alle chains.
> 
> 
> Any ideas?

Start all your chains with a LOG rule.  Netfilter logs the packet and
then passes it on to the next rule, so you'll get your matches, but the
packet will continue to be processed.

Why do you have to check every packet though?  If this is just to see
who is using your servers the daemons themselves probably keep adequate
logs.


-- 
"I think a church with a lightning rod shows a decided lack of confidence"

Re: Log every package incoming and outcoming.

[Thomas Kristensen]

Oki cool. Is it possible to specife the location of the log files? and how?


> On Fri, Aug 20, 2004 at 12:32:24PM +0200, Thomas Kristensen wrote:
>
>> i dont want a full system setup, i just need somekind og modul for
>> iptables, or a conf for iptables to log every thing.
>> The problem is if i set a rule, iptables will stop at a matching rule,
>> and therefor i cant set a log rule in the end for alle chains.
>>
>>
>> Any ideas?
>
> Start all your chains with a LOG rule.  Netfilter logs the packet and
> then passes it on to the next rule, so you'll get your matches, but the
> packet will continue to be processed.
>
> Why do you have to check every packet though?  If this is just to see
> who is using your servers the daemons themselves probably keep adequate
> logs.
>
>
> --
> "I think a church with a lightning rod shows a decided lack of
> confidence"



----------------------------------------------
DarkNet Webmail -http://webmail.darknet.dk

Re: Log every package incoming and outcoming.

[Nick Drage]

On Fri, Aug 20, 2004 at 01:17:30PM +0200, Thomas Kristensen wrote:
> Oki cool. Is it possible to specife the location of the log files? and how?

http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.12

It's been a while since I looked, but the netfilter documentation is
actually rather good and certainly worth reading and referring to.
You'll need to look at your distribution specific information for
details on your syslog configuration.

-- 
"I think a church with a lightning rod shows a decided lack of confidence"

Re: Log every package incoming and outcoming.

[Linux mailbox Openware]

Op %verzonden%, schreef %afzender%:
> Oki cool. Is it possible to specife the location of the log files?
> and how?

Example:

echo "Logging..."
iptables -t filter -A INPUT -j LOG --log-prefix "fw input: "
iptables -t filter -A OUTPUT -j LOG --log-prefix "fw output: "
iptables -t filter -A FORWARD -j LOG --log-prefix "fw forward: "

Logging can be monitored in /var/log/messages with fw input, fw output and fw forward as
a marker

Greetings,

Jan Rozema


>
>
>> On Fri, Aug 20, 2004 at 12:32:24PM +0200, Thomas Kristensen wrote:
>>
>>
>>> i dont want a full system setup, i just need somekind og modul
>>> for iptables, or a conf for iptables to log every thing. The
>>> problem is if i set a rule, iptables will stop at a matching
>>> rule, and therefor i cant set a log rule in the end for alle
>>> chains.
>>>
>>>
>>> Any ideas?
>>>
>>
>> Start all your chains with a LOG rule.  Netfilter logs the packet
>> and then passes it on to the next rule, so you'll get your
>> matches, but the packet will continue to be processed.
>>
>> Why do you have to check every packet though?  If this is just to
>> see who is using your servers the daemons themselves probably
>> keep adequate logs.
>>
>>
>> --
>> "I think a church with a lightning rod shows a decided lack of
>> confidence"
>
>
> ----------------------------------------------
> DarkNet Webmail -http://webmail.darknet.dk

Re: Log every package incoming and outcoming.

[Aleksandar Milivojevic]

Thomas Kristensen wrote:
> How can i log every package coming on INPUT, OUTPUT and FORWARD chains.
> 
> I want to log every package to lateron collect the data and make stats
> over the use from every ip inside the firewall. The reason why i need to
> log, is i need to check every ip to se if its inside denmark, or outside
> denmark (i got the list for dk ips).
> 
> i dont want a full system setup, i just need somekind og modul for
> iptables, or a conf for iptables to log every thing.
> The problem is if i set a rule, iptables will stop at a matching rule, and
> therefor i cant set a log rule in the end for alle chains.

That is why you would set log rule at the beggining of all chains.  LOG 
target is non-terminating, and Netfilter will continue with the next 
rule in the chain (until it finds the one that matches and is 
terminating, like ACCEPT or DROP):

-A FORWARD -j LOG --log-prefix "something "
... rest of your FORWARD rules go here ...

BTW, you are aware that this is going to generate tremendeous amount of 
logs?  You might be better off by creating rules that you will use only 
as counters.  Assuming eth0 is your external interface, and that no 
traffic is to be to/from firewall (or you don't care about it, seems you 
are interested only in clients, right?):

-N DK_CNT
-A DK_CNT -o eth0 -d range1 -j RETURN
-A DK_CNT -i eth0 -s range1 -j RETURN
-A DK_CNT -o eth0 -d range2 -j RETURN
-A DK_CNT -i eth0 -s range2 -j RETURN
-A DK_CNT -o eth0 -d range3 -j RETURN
-A DK_CNT -i eth0 -s range3 -j RETURN
-A DK_CNT -j RETURN

# This one should be first rule in FORWARD chain
-A FORWARD -j DK_CNT
...  rest of your FORWARD rules go here ...

RangeN are IP ranges from your list.  iptables -L DK_CNT -nvx will  give 
you packet and byte counters for each Danish IP range you have, with 
side effect that last line will give you summary for all non-Danish 
traffic, and DK_CNT chain counter will have total traffic.  Note that 
this counters are (I believe) 32-bit unsigned integers.  So after they 
reach 2^32, they are going to start counting from zero (which will 
happen on the firewall after some time).  You'll need to detect this and 
act accordingly.  Or alternatively use iptables -L DK_CNT -nvxZ which 
will zero the counter after reading it (doing this regullary from cron, 
often enough so that they can not theoretically overflow).  It should be 
trivial to write script to parse output of iptables -L, and do all 
statistics that you might need...

Not to mention that second approach will be much gentler on the firewall 
from performance perspective.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7