* Logging
@ 2004-03-15 15:51 Mario Udina
2004-03-15 16:07 ` Logging Frederic de Villamil
` (3 more replies)
0 siblings, 4 replies; 10+ messages in thread
From: Mario Udina @ 2004-03-15 15:51 UTC (permalink / raw)
To: netfilter
Hello!
I have done some googling however did not manage to find out if there
is a way to define a file where iptables writes its logs.
As I read in the man the file where the logs are written is the kernel
log i.e. /var/log/messages
is there a way to send this output to another file in order to keep the
logs clean?
regards,
Mario Udina
--
i would like to die as my gradfather did, quietly in his sleep
and not in panic and disbelief as the passengers of his bus.
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: Logging
2004-03-15 15:51 Logging Mario Udina
@ 2004-03-15 16:07 ` Frederic de Villamil
2004-03-15 16:08 ` Logging Antony Stone
` (2 subsequent siblings)
3 siblings, 0 replies; 10+ messages in thread
From: Frederic de Villamil @ 2004-03-15 16:07 UTC (permalink / raw)
To: Mario Udina; +Cc: netfilter
On Mon, 15 Mar 2004, Mario Udina wrote:
> Hello!
>
> I have done some googling however did not manage to find out if there
> is a way to define a file where iptables writes its logs.
>
> As I read in the man the file where the logs are written is the kernel
> log i.e. /var/log/messages
>
> is there a way to send this output to another file in order to keep the
> logs clean?
>
> regards,
Hi Mario,
maybe what you're looking for is in /etc/syslog.conf.
--
< Ylli> lol je rigole neuro jte prend pa pr un pervers ms un president
et pere de famille respectable :s
http://www.seclab.jp
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: Logging
2004-03-15 15:51 Logging Mario Udina
2004-03-15 16:07 ` Logging Frederic de Villamil
@ 2004-03-15 16:08 ` Antony Stone
2005-04-19 7:55 ` IP Forwading from Local IP to Live IP elg3ne
2004-03-15 16:25 ` Logging Frank Gruellich
2004-03-15 16:36 ` Logging forum
3 siblings, 1 reply; 10+ messages in thread
From: Antony Stone @ 2004-03-15 16:08 UTC (permalink / raw)
To: netfilter
On Monday 15 March 2004 3:51 pm, Mario Udina wrote:
> Hello!
>
> I have done some googling however did not manage to find out if there
> is a way to define a file where iptables writes its logs.
>
> As I read in the man the file where the logs are written is the kernel
> log i.e. /var/log/messages
>
> is there a way to send this output to another file in order to keep the
> logs clean?
netfilter logs via syslogd, therefore by changing the --log-level option to
the LOG target you can get messages sent to some other file as specified in
your syslog.conf (however you may not be able to keep them *completely*
separate from other messages, depending on how you arrange syslog.conf).
If you want to change the syslog facility as well as the level, which is the
ideal solution, you'll have to hack the netfilter logging source code :(
Antony.
--
The first fifty percent of an engineering project takes ninety percent of the
time, and the remaining fifty percent takes another ninety percent of the
time.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 10+ messages in thread* IP Forwading from Local IP to Live IP
2004-03-15 16:08 ` Logging Antony Stone
@ 2005-04-19 7:55 ` elg3ne
2005-04-19 7:44 ` Taylor Grant
2005-04-19 11:42 ` Jason Opperisano
0 siblings, 2 replies; 10+ messages in thread
From: elg3ne @ 2005-04-19 7:55 UTC (permalink / raw)
To: netfilter
Hi guys, Im new to iptables.. hope someone can help me to this.
The situation is this, I have a webserver running on a local network machine
(192.168.1.3) & I want it to be accessible outside my network. Is it
possible?
setup is like this:
workstation (192.168.1.3) ---> HUB ---> server ( LIVE IP, accessible
everywhere on the net )
when user access the live IP ex. 10.0.0.3 can he forward to get the files on
the worstation?
thanks
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: IP Forwading from Local IP to Live IP
2005-04-19 7:55 ` IP Forwading from Local IP to Live IP elg3ne
@ 2005-04-19 7:44 ` Taylor Grant
2005-04-19 8:41 ` elg3ne
2005-04-19 11:42 ` Jason Opperisano
1 sibling, 1 reply; 10+ messages in thread
From: Taylor Grant @ 2005-04-19 7:44 UTC (permalink / raw)
To: elg3ne; +Cc: netfilter
> Hi guys, Im new to iptables.. hope someone can help me to this.
>
> The situation is this, I have a webserver running on a local network machine
> (192.168.1.3) & I want it to be accessible outside my network. Is it
> possible?
>
> setup is like this:
>
> workstation (192.168.1.3) ---> HUB ---> server ( LIVE IP, accessible
> everywhere on the net )
>
> when user access the live IP ex. 10.0.0.3 can he forward to get the files on
> the worstation?
I think you are talking about simple port forwarding. To accomplish this you would want to run such a set up on server / router / firewall.
iptables -t nat -A PREROUTING -i $INet_Interface -d 10.0.0.3 -p tcp --dport $Port_of_Service -j DNAT --to-destination 192.168.1.3:$Port_of_Service
iptables -t nat -A PREROUTING -i $INet_Interface -d 10.0.0.3 -p udp --dport $Port_of_Service -j DNAT --to-destination 192.168.1.3:$Port_of_Service
iptables -t nat -A POSTROUTING -o $LAN_Interface -d 192.168.1.3 -p tcp --dport $Port_of_Service -j SNAT --to-source $Internal_IP_of_Server
iptables -t nat -A POSTROUTING -o $LAN_Interface -d 192.168.1.3 -p udp --dport $Port_of_Service -j SNAT --to-source $Internal_IP_of_Server
This will take any TCP or UDP traffic that is coming in to the server to port $Port_of_Service and (port) forward it to 192.168.1.3 where the traffic will be handled as if it were originally destined to the internal system.
Grant. . . .
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: IP Forwading from Local IP to Live IP
2005-04-19 7:44 ` Taylor Grant
@ 2005-04-19 8:41 ` elg3ne
2005-04-19 19:12 ` Taylor, Grant
0 siblings, 1 reply; 10+ messages in thread
From: elg3ne @ 2005-04-19 8:41 UTC (permalink / raw)
To: Taylor Grant; +Cc: netfilter
----- Original Message -----
From: "Taylor Grant" <gtaylor@riverviewtech.net>
To: "elg3ne" <sun@dap.edu.ph>
Cc: <netfilter@lists.netfilter.org>
Sent: Tuesday, April 19, 2005 3:44 PM
Subject: Re: IP Forwading from Local IP to Live IP
> > Hi guys, Im new to iptables.. hope someone can help me to this.
> >
> > The situation is this, I have a webserver running on a local network
machine
> > (192.168.1.3) & I want it to be accessible outside my network. Is it
> > possible?
> >
> > setup is like this:
> >
> > workstation (192.168.1.3) ---> HUB ---> server ( LIVE IP, accessible
> > everywhere on the net )
> >
> > when user access the live IP ex. 10.0.0.3 can he forward to get the
files on
> > the worstation?
>
> I think you are talking about simple port forwarding. To accomplish this
you would want to run such a set up on server / router / firewall.
>
> iptables -t nat -A PREROUTING -i $INet_Interface -d 10.0.0.3 -p
tcp --dport $Port_of_Service -j DNAT --to-destination
192.168.1.3:$Port_of_Service
> iptables -t nat -A PREROUTING -i $INet_Interface -d 10.0.0.3 -p
udp --dport $Port_of_Service -j DNAT --to-destination
192.168.1.3:$Port_of_Service
> iptables -t nat -A POSTROUTING -o $LAN_Interface -d 192.168.1.3 -p
tcp --dport $Port_of_Service -j SNAT --to-source $Internal_IP_of_Server
> iptables -t nat -A POSTROUTING -o $LAN_Interface -d 192.168.1.3 -p
udp --dport $Port_of_Service -j SNAT --to-source $Internal_IP_of_Server
>
> This will take any TCP or UDP traffic that is coming in to the server to
port $Port_of_Service and (port) forward it to 192.168.1.3 where the traffic
will be handled as if it were originally destined to the internal system.
>
>
>
> Grant. . . .
Hi Grant, I have an existing Linux PC firewall... the machine has 2 NIC, 1
for LiveIP and 1 for LocalIP.. i have also an existing firewall on the
machine... I will post it here so can take a look at.. I've tried to add the
above iptables command but no luck...thanks
LOCALLINK="eth0"
GLOBALLINK="eth1"
ROUTER="yes"
NAT="10.0.0.3"
INTERFACES="lo eth0 eth1"
SERVICES="8080 80"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P INPUT DROP
iptables -A INPUT -i ! ${GLOBALLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j
ACCEPT
done
iptables -A INPUT -p tcp -i ${GLOBALLINK} -j REJECT --reject-with
tcp-reset
iptables -A INPUT -p udp -i ${GLOBALLINK} -j REJECT --reject-with
icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
#dynamic IP address, use masquerading
echo "Enabling masquerading (dynamic ip)..."
iptables --table nat --append POSTROUTING -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables --table nat --append
POSTROUTING --out-interface ${GLOBALLINK} -j MASQUERADE
iptables --append FORWARD --in-interface
${LOCALLINK} -j ACCEPT
#################################
iptables -t nat -A PREROUTING -i $GLOBALLINK -d 203.87.141.9 -p tcp --dport
8080 -j DNAT --to-destination 192.168.1.11:8080
iptables -t nat -A PREROUTING -i $GLOBALLINK -d 203.87.141.9 -p udp --dport
8080 -j DNAT --to-destination 192.168.1.11:8080
iptables -t nat -A POSTROUTING -o $LOCALLINK -d 192.168.1.11 -p tcp --dport
8080 -j SNAT --to-source 192.168.1.1
iptables -t nat -A POSTROUTING -o $LOCALLINK -d 192.168.1.11 -p udp --dport
8080 -j SNAT --to-source 192.168.1.1
#################################
elif [ "$NAT" != "" ]
then
#static IP, use SNAT
echo "Enabling SNAT (static ip)..."
iptables --table nat --append POSTROUTING -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables --table nat --append
POSTROUTING --out-interface ${GLOBALLINK} -j SNAT --to-source ${NAT}
iptables --append FORWARD --in-interface
${LOCALLINK} -j ACCEPT
fi
fi
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -F FORWARD
iptables -P INPUT ACCEPT
#turn off NAT/masquerading, if any
iptables -t nat -F POSTROUTING
fi
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: IP Forwading from Local IP to Live IP
2005-04-19 8:41 ` elg3ne
@ 2005-04-19 19:12 ` Taylor, Grant
0 siblings, 0 replies; 10+ messages in thread
From: Taylor, Grant @ 2005-04-19 19:12 UTC (permalink / raw)
To: elg3ne; +Cc: netfilter
> LOCALLINK="eth0"
> GLOBALLINK="eth1"
> ROUTER="yes"
> NAT="10.0.0.3"
> INTERFACES="lo eth0 eth1"
> SERVICES="8080 80"
>
> if [ "$1" = "start" ]
> then
> echo "Starting firewall..."
> iptables --flush
> iptables --table nat --flush
> iptables --delete-chain
> iptables --table nat --delete-chain
> iptables -P INPUT DROP
> iptables -A INPUT -i ! ${GLOBALLINK} -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> #enable public access to certain services
> for x in ${SERVICES}
> do
> iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
> done
> iptables -A INPUT -p tcp -i ${GLOBALLINK} -j REJECT --reject-with tcp-reset
> iptables -A INPUT -p udp -i ${GLOBALLINK} -j REJECT --reject-with icmp-port-unreachable
> #explicitly disable ECN
> if [ -e /proc/sys/net/ipv4/tcp_ecn ]
> then
> echo 0 > /proc/sys/net/ipv4/tcp_ecn
> fi
>
> #disable spoofing on all interfaces
> for x in ${INTERFACES}
> do
> echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
> done
>
> if [ "$ROUTER" = "yes" ]
> then
> #we're a router of some kind, enable IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> if [ "$NAT" = "dynamic" ]
> then
> #dynamic IP address, use masquerading
> echo "Enabling masquerading (dynamic ip)..."
> iptables --table nat --append POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> iptables --table nat --append POSTROUTING --out-interface ${GLOBALLINK} -j MASQUERADE
> iptables --append FORWARD --in-interface ${LOCALLINK} -j ACCEPT
>
> #################################
> iptables -t nat -A PREROUTING -i $GLOBALLINK -d 203.87.141.9 -p tcp --dport
> 8080 -j DNAT --to-destination 192.168.1.11:8080
> iptables -t nat -A PREROUTING -i $GLOBALLINK -d 203.87.141.9 -p udp --dport
> 8080 -j DNAT --to-destination 192.168.1.11:8080
> iptables -t nat -A POSTROUTING -o $LOCALLINK -d 192.168.1.11 -p tcp --dport
> 8080 -j SNAT --to-source 192.168.1.1
> iptables -t nat -A POSTROUTING -o $LOCALLINK -d 192.168.1.11 -p udp --dport
> 8080 -j SNAT --to-source 192.168.1.1
> #################################
>
> elif [ "$NAT" != "" ]
> then
> #static IP, use SNAT
> echo "Enabling SNAT (static ip)..."
> iptables --table nat --append POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> iptables --table nat --append POSTROUTING --out-interface ${GLOBALLINK} -j SNAT --to-source ${NAT}
> iptables --append FORWARD --in-interface ${LOCALLINK} -j ACCEPT
>
> fi
> fi
>
> elif [ "$1" = "stop" ]
> then
> echo "Stopping firewall..."
> iptables -F INPUT
> iptables -F FORWARD
> iptables -P INPUT ACCEPT
> #turn off NAT/masquerading, if any
> iptables -t nat -F POSTROUTING
> fi
Try moving your rules form the section that you have them in the the "then...fi" block below where they are at presently. Based on the fact that you have NAT set to something other than dynamic the section that you have your rules in will never be called.
Grant. . . .
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: IP Forwading from Local IP to Live IP
2005-04-19 7:55 ` IP Forwading from Local IP to Live IP elg3ne
2005-04-19 7:44 ` Taylor Grant
@ 2005-04-19 11:42 ` Jason Opperisano
1 sibling, 0 replies; 10+ messages in thread
From: Jason Opperisano @ 2005-04-19 11:42 UTC (permalink / raw)
To: netfilter
On Tue, Apr 19, 2005 at 03:55:18PM +0800, elg3ne wrote:
> Hi guys, Im new to iptables.. hope someone can help me to this.
>
> The situation is this, I have a webserver running on a local network machine
> (192.168.1.3) & I want it to be accessible outside my network. Is it
> possible?
>
> setup is like this:
>
> workstation (192.168.1.3) ---> HUB ---> server ( LIVE IP, accessible
> everywhere on the net )
>
> when user access the live IP ex. 10.0.0.3 can he forward to get the files on
> the worstation?
three line guide to "port-forwarding:"
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport $OUTSIDE_PORT \
-j DNAT --to-destination $INSIDE_HOST_IP:$INSIDE_PORT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT_IF -p tcp --syn \
-d $INSIDE_HOST_IP --dport $INSIDE_PORT -j ACCEPT
where example values for all the variables are:
EXT_IF="eth0"
OUTSIDE_PORT="80"
INSIDE_HOST_IP="192.168.1.3"
INSIDE_PORT="8080"
HTH...
-j
--
"Peter: Lois, When I'm through with them, our kids will be so smart,
they'll be able to program their own VCRs without spilling piping hot
gravy all over myself."
--Family Guy
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Logging
2004-03-15 15:51 Logging Mario Udina
2004-03-15 16:07 ` Logging Frederic de Villamil
2004-03-15 16:08 ` Logging Antony Stone
@ 2004-03-15 16:25 ` Frank Gruellich
2004-03-15 16:36 ` Logging forum
3 siblings, 0 replies; 10+ messages in thread
From: Frank Gruellich @ 2004-03-15 16:25 UTC (permalink / raw)
To: netfilter
* Mario Udina <m.udina@libero.it> 15. Mar 04:
> Hello!
Hi,
> As I read in the man the file where the logs are written is the kernel
> log i.e. /var/log/messages
Maybe, by default.
> is there a way to send this output to another file in order to keep the
> logs clean?
This is not possible with iptables or netfilter. You want to read the
man page of your sysklogd, especially of syslog.conf. You can specify
priority in a rule. Maybe you want to use another syslogger (syslog-ng
provides file redirect on patterns, AFAIK, would be usefull with the
--log-prefix option.).
HTH,
regards, Frank.
--
Sigmentation fault
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Logging
2004-03-15 15:51 Logging Mario Udina
` (2 preceding siblings ...)
2004-03-15 16:25 ` Logging Frank Gruellich
@ 2004-03-15 16:36 ` forum
3 siblings, 0 replies; 10+ messages in thread
From: forum @ 2004-03-15 16:36 UTC (permalink / raw)
To: Mario Udina; +Cc: netfilter
> I have done some googling however did not manage to find out if there is
> a way to define a file where iptables writes its logs.
In UNIX, the 'syslog' interface uses two parameters for any information
logged:
The logging facility
The logging level
I believe the facility is fixed to kernel, but the level can be changed.
Corresponding to that is the configuration in syslog.conf
Another useful thing is --log-prefix in the iptables command, which lets
you output a descriptive log prefix. You can then script your own log
placement, using grep or something.
--
forum@users.pc9.org
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2005-04-19 19:12 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-15 15:51 Logging Mario Udina
2004-03-15 16:07 ` Logging Frederic de Villamil
2004-03-15 16:08 ` Logging Antony Stone
2005-04-19 7:55 ` IP Forwading from Local IP to Live IP elg3ne
2005-04-19 7:44 ` Taylor Grant
2005-04-19 8:41 ` elg3ne
2005-04-19 19:12 ` Taylor, Grant
2005-04-19 11:42 ` Jason Opperisano
2004-03-15 16:25 ` Logging Frank Gruellich
2004-03-15 16:36 ` Logging forum
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.