Multiple conditions for logging packets

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Multiple conditions for logging packets
@ 2002-09-23 11:06 Matt Parlane
  2002-09-23 12:15 ` Antony Stone
  2002-09-23 12:33 ` Anders Fugmann
  0 siblings, 2 replies; 3+ messages in thread
From: Matt Parlane @ 2002-09-23 11:06 UTC (permalink / raw)
  To: netfilter

Hi list...

I have a simple linux machine acting as a firewall/gateway, and I'm after a
way to specify multiple conditions for rules.  Basically I want to create a
rule for packets which are either coming from or going to the internet - not
packets which are both sourced and destined for the local network.  The
reason is that I am logging the packets to MySQL using ULogD - and I really
can't afford to be periodically removing all the records from the table
which are only for internal traffic.

I haven't been able to do this so far using iptables rules.  Does anyone
have any ideas about how this might be achieved?

Many thanks in advance...

Matt Parlane
Zevi Interactive
matt@zevi.net

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Multiple conditions for logging packets
  2002-09-23 11:06 Multiple conditions for logging packets Matt Parlane
@ 2002-09-23 12:15 ` Antony Stone
  2002-09-23 12:33 ` Anders Fugmann
  1 sibling, 0 replies; 3+ messages in thread
From: Antony Stone @ 2002-09-23 12:15 UTC (permalink / raw)
  To: netfilter

On Monday 23 September 2002 12:06 pm, Matt Parlane wrote:

> Hi list...
>
> I have a simple linux machine acting as a firewall/gateway, and I'm after a
> way to specify multiple conditions for rules.  Basically I want to create a
> rule for packets which are either coming from or going to the internet -
> not packets which are both sourced and destined for the local network.
>
> I haven't been able to do this so far using iptables rules.  Does anyone
> have any ideas about how this might be achieved?

Intriguing question.

1. Why would you have packets both sourced from and destined to the local 
network going through your firewall anyway (maybe you have multiple internal 
networks) ?

2. What's the problem with simply having two rules one after another, the 
first of which logs packets coming in from the Internet, the second of which 
logs packets going to the Internet ?   Both rules together end up doing the 
job you want, and no packet is ever going to match both rules.

3. Depending on what you want to do, can you handle the problem by first 
getting rid of packets both from & to the internal network, then logging 
what's left ?
eg:
iptables -N log-stuff-to-or-from-internet
iptables -A log-stuff-to-or-from-internet -i $intIF -o $intIF -j RETURN
any packets which get this far are not local-to-local
iptables -A FORWARD -j log-stuff-to-or-from-internet

alternatively if you have one external interface and more than one internal 
interface, then you can identify local packets by the fact they do not go 
through the external internface, instead of by the fact that they do go 
through the internal interface:

iptables -N log-stuff-to-or-from-internet
iptables -A log-stuff-to-or-from-internet -i ! $extIF -o ! $extIF -j RETURN
any packets which get this far must have either -i or -o = $extIF

Does this help ?

Antony.

-- 

The first ninety percent of an engineering project takes ninety percent
of the time, and the last ten percent takes the remaining ninety percent.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Multiple conditions for logging packets
  2002-09-23 11:06 Multiple conditions for logging packets Matt Parlane
  2002-09-23 12:15 ` Antony Stone
@ 2002-09-23 12:33 ` Anders Fugmann
  1 sibling, 0 replies; 3+ messages in thread
From: Anders Fugmann @ 2002-09-23 12:33 UTC (permalink / raw)
  To: Matt Parlane; +Cc: netfilter

Matt Parlane wrote:
> Hi list...
> 
> I have a simple linux machine acting as a firewall/gateway, and I'm after a
> way to specify multiple conditions for rules.  Basically I want to create a
> rule for packets which are either coming from or going to the internet - not
> packets which are both sourced and destined for the local network.  The
Create a new chain for this: e.g.
iptables -N INTERNET_LOG
iptables -A INTERNET_LOG -i eth0 -j ULOG
iptables -A INTERNET_LOG -o eth0 -j ULOG

#Forward to the logging:
iptables -A INPUT -j INTERNET_LOG
iptables -A OUTPUT -j INTERNET_LOG
iptables -A FORWARD -j INTERNET_LOG

Remember that all boolean operations can be created in netfilter:
(a and b are packet conditions and C is either a chain or target)
if a      then C ->  iptables (a)  -J C
if !a     then C ->  iptables (!a) -J C
if a && b then C ->  new chain: iptables (!a) -J return,
                                 iptables (!b) -J return,
                                 iptables -J C
if a || b then C ->  iptables (a) -J C, iptables (b) -J C

And that all  conditions in a rule are logical AND e.g.:
iptables -A input -p tcp --dport 25, means that the packet must be a tcp 
protocol type _and_ must have destination port 25. It is not possible to 
create logical OR in a single rule. (Well in some rare cases it is, but 
I leave that out for now.)

The problem is usually to create the AND operator. This is easily done 
by creating a new chaing, and returning from this if any of the 
conditions are false.

In your case, you need the OR operator, which is somewhat simple to create.

Hope it helps
Anders Fugmann






-- 
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2002-09-23 12:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-09-23 11:06 Multiple conditions for logging packets Matt Parlane
2002-09-23 12:15 ` Antony Stone
2002-09-23 12:33 ` Anders Fugmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox