Logging NAT Translations

Logging NAT Translations

[Craig Bernstein]

I can't believe this isn't a FAQ; I apologize if I missed something in
my searches.

Is there a way to log connections along with all of their NAT translation data?

I am using a Debian (Sarge) system to SNAT guest users from private
address space to the Internet, and I need to keep a record that
includes both their internal and external addresses.

Simply logging before the SNAT rule leaves out the external address,
leaving me only with the original RFC1918 source address.
/proc/net/ip_conntrack has the information I need, but no way to send
it to the log it at the beginning and/or end of the session.

There HAS to be an easy way to do this!  Right?

Thank you...

-- 
...Craig

Re: Logging NAT Translations

[Petr Pisar]

On 2007-05-19, Craig Bernstein <cbernstein@cbernstein.com> wrote:
>
> Is there a way to log connections along with all of their NAT
> translation data?
>
[...]
> /proc/net/ip_conntrack has the information I need, but no way to send
> it to the log it at the beginning and/or end of the session.
>
You can use tool "conntrack" that can almost in real time log conntrack
events like creating new connction or destroying old one.

-- Petr

Re: Logging NAT Translations

[Jan Engelhardt]

On May 18 2007 20:15, Craig Bernstein wrote:
>
> I can't believe this isn't a FAQ; I apologize if I missed something in
> my searches.
>
> Is there a way to log connections along with all of their NAT translation
> data?

iptables -t nat -N yes_do_me_1
iptables -t nat -A yes_do_me_1 -j LOG ...
iptables -t nat -A yes_do_me_1 -j SNAT ...

iptables -t nat -s 134.76.0.0/16 -d whatever -p tcp -j yes_do_me_1

Or you could use `conntrack -E`... or conntrack -L for a momentary
state.


>
> I am using a Debian (Sarge) system to SNAT guest users from private
> address space to the Internet, and I need to keep a record that
> includes both their internal and external addresses.
>
> Simply logging before the SNAT rule leaves out the external address,
> leaving me only with the original RFC1918 source address.
> /proc/net/ip_conntrack has the information I need, but no way to send
> it to the log it at the beginning and/or end of the session.
>
> There HAS to be an easy way to do this!  Right?
>
> Thank you...
>
> -- 
> ...Craig
>
>

	Jan
-- 

Re: Logging NAT Translations

[Craig Bernstein]

On 5/22/07, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
> iptables -t nat -N yes_do_me_1
> iptables -t nat -A yes_do_me_1 -j LOG ...
> iptables -t nat -A yes_do_me_1 -j SNAT ...
>
> iptables -t nat -s 134.76.0.0/16 -d whatever -p tcp -j yes_do_me_1
>
> Or you could use `conntrack -E`... or conntrack -L for a momentary
> state.

Jan, thank you for your suggestion, but setting it up that way gives
me the same results as before.  The log entry looks like this:

IN= OUT=eth0 SRC=10.1.2.3 DST=209.85.139.147 LEN=48 TOS=0x00 PREC=0x00
TTL=125 ID=52743 DF PROTO=TCP SPT=1535 DPT=80 WINDOW=16384 RES=0x00
SYN URGP=0

"SRC" is the inside client address.  "DST" is the outside server
address.  I still need to log the outside address the client is SNATed
to, i.e. the public Internet address the server will see.

`cat /proc/net/ip_conntrack` will give me the momentary state, but I
want each connection syslogged at set-up and/or tear-down.

Petr recommended the conntrack tool, which may work but will require
upgrading a box that is currently running Debian Sarge.  Is that my
only option?

Thanks,
Craig

Re: Logging NAT Translations

[Jan Engelhardt]

On Jun 5 2007 19:10, Craig Bernstein wrote:
> On 5/22/07, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
>> iptables -t nat -N yes_do_me_1
>> iptables -t nat -A yes_do_me_1 -j LOG ...
>> iptables -t nat -A yes_do_me_1 -j SNAT ...
>> 
>> iptables -t nat -s 134.76.0.0/16 -d whatever -p tcp -j yes_do_me_1
>> 
>> Or you could use `conntrack -E`... or conntrack -L for a momentary
>> state.
>
> Jan, thank you for your suggestion, but setting it up that way gives
> me the same results as before.  The log entry looks like this:
>
> IN= OUT=eth0 SRC=10.1.2.3 DST=209.85.139.147 LEN=48 TOS=0x00 PREC=0x00
> TTL=125 ID=52743 DF PROTO=TCP SPT=1535 DPT=80 WINDOW=16384 RES=0x00
> SYN URGP=0
>
> "SRC" is the inside client address.  "DST" is the outside server
> address.  I still need to log the outside address the client is SNATed
> to, i.e. the public Internet address the server will see.

iptables -t nat -N ydm1
iptables -t nat -A ydm1 -j LOG "[Adress got SNATed to 134.76.13.21] "
iptables -t nat -A ydm1 -j SNAT --to 134.76.13.21

iptables -t nat -A POSTROUTING <-d condition -m condition or whatever> -j ydm1

It already was a complete example. When you SNAT, you know you do.

> Petr recommended the conntrack tool, which may work but will require
> upgrading a box that is currently running Debian Sarge.  Is that my
> only option?

Teardown logging: yes. Setup: See above and/or conntrack.


	Jan
-- 

Re: Logging NAT Translations

[Craig Bernstein]

On 6/5/07, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
> iptables -t nat -N ydm1
> iptables -t nat -A ydm1 -j LOG "[Adress got SNATed to 134.76.13.21] "
> iptables -t nat -A ydm1 -j SNAT --to 134.76.13.21
>
> iptables -t nat -A POSTROUTING <-d condition -m condition or whatever> -j ydm1
>
> It already was a complete example. When you SNAT, you know you do.

--to-source can be (and is, in this case) a range of IP addresses.  I
know I SNATed, but not to which source IP address and port.

-- 
...Craig

Re: Logging NAT Translations

[Jan Engelhardt]

On Jun 6 2007 00:15, Craig Bernstein wrote:
>
> On 6/5/07, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
>> iptables -t nat -N ydm1
>> iptables -t nat -A ydm1 -j LOG "[Adress got SNATed to 134.76.13.21] "
>> iptables -t nat -A ydm1 -j SNAT --to 134.76.13.21
>> 
>> iptables -t nat -A POSTROUTING <-d condition -m condition or whatever> -j
>> ydm1
>> 
>> It already was a complete example. When you SNAT, you know you do.
>
> --to-source can be (and is, in this case) a range of IP addresses.  I
> know I SNATed, but not to which source IP address and port.

Oh I did not know :-/ I rarely need ranges, mostly because it does not RR over
them like I thought it does :(


	Jan
-- 

Re: Logging NAT Translations

[Pascal Hambourg]

Hello,

Jan Engelhardt a écrit :
>
>>>iptables -t nat -A ydm1 -j LOG "[Adress got SNATed to 134.76.13.21] "
>>>iptables -t nat -A ydm1 -j SNAT --to 134.76.13.21
>>>
>>>It already was a complete example. When you SNAT, you know you do.

Not always.
- A NAT may fail due to a conflict with an existing mapping, so you 
believe you SNAT but actually don't. However I do admit that this 
situation is unlikely to happen when you don't retrict the port range in 
the SNAT target.
- Implicit SNAT may be performed to avoid conflict with an existing 
rule, so you SNAT but do not know you do.

> I rarely need ranges, mostly because it does not RR over
> them like I thought it does :(

It used to, prior to kernel version 2.6.11. And I believe it still does 
in the latest 2.4 kernel. But the developpers thought this behaviour was 
not desirable because it broke some usages and replaced the round robin 
with a hash so the same original source+destination pair always gets the 
same address in the SNAT range.

Logging nat translations

[Carlos Sülz]

Hi NF people, I've a question related a Logging issue.-

I'm already making a log with my conntrack session, but I need to log 
the "nated-IP" because auditoring.-

I mean...
the "-j LOG" parameter log the SRC-IP and the DST-IP (src is the IP 
before nat and the dst is... well, U know it.)
I need something like SRC= 10.x.x.x, NAT=200.x.x.x , DST=201.x.x.x
If there is a way to get this, please let me know.

PS: I'm doing NAT with a pool of 3 groups of 200 IPs

thanks in advance.

CS

Re: Logging nat translations

[Eric Leblond]

Hello,

On Thursday, 2008 August 28 at 10:10:20 -0400, Carlos Sülz wrote:
> Hi NF people, I've a question related a Logging issue.-
>
> I'm already making a log with my conntrack session, but I need to log  
> the "nated-IP" because auditoring.-
>
> I mean...
> the "-j LOG" parameter log the SRC-IP and the DST-IP (src is the IP  
> before nat and the dst is... well, U know it.)
> I need something like SRC= 10.x.x.x, NAT=200.x.x.x , DST=201.x.x.x
> If there is a way to get this, please let me know.

Have a look at ulogd2 which is able to log every connection tracking
event in a file or in a database.

Some links:
	http://netfilter.org/projects/ulogd/index.html
	http://software.inl.fr/trac/wiki/ulogd2/user

BR,
-- 
Eric Leblond
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

Re: Logging nat translations

[Pablo Neira Ayuso]

Eric Leblond wrote:
> Hello,
> 
> On Thursday, 2008 August 28 at 10:10:20 -0400, Carlos Sülz wrote:
>> Hi NF people, I've a question related a Logging issue.-
>>
>> I'm already making a log with my conntrack session, but I need to log  
>> the "nated-IP" because auditoring.-
>>
>> I mean...
>> the "-j LOG" parameter log the SRC-IP and the DST-IP (src is the IP  
>> before nat and the dst is... well, U know it.)
>> I need something like SRC= 10.x.x.x, NAT=200.x.x.x , DST=201.x.x.x
>> If there is a way to get this, please let me know.
> 
> Have a look at ulogd2 which is able to log every connection tracking
> event in a file or in a database.
> 
> Some links:
> 	http://netfilter.org/projects/ulogd/index.html
> 	http://software.inl.fr/trac/wiki/ulogd2/user

You can also get them via the command line tool `conntrack':

# conntrack -E --src-nat

or

# conntrack -E --dst-nat

or even:

# conntrack -E --dst-nat 1.2.3.4

to filter only destination NAT to 1.2.3.4.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers