IPTABLES, TCPDUMP LOGGING

IPTABLES, TCPDUMP LOGGING

Post by cbieli » Sat, 05 Oct 2002 06:58:14



Current Setup:
I am running 2.4 Debian (Woody Dist) linux box as a router, NAT,
Firewall using iptables. I want to log constant traffic on both eth0
and eth1 on the same box. I have been messing around with tcpdump and
it is not really doing what I want. Maybe it can and I just cant get
it. Help me out!

I want to be able to write all traffic to a file that I can view later
on. But I want simple things like source and destination address from
the same packet. Tcpdump seems to only be able to capture on a per
interface basis which does not let me see the other interfaces
information. I went to tcpdump.org and the man is not helping. Does
anyone know a better solution then this or can I do it with tcpdump.

C

 
 
 

IPTABLES, TCPDUMP LOGGING

Post by Ange » Sat, 05 Oct 2002 07:08:30



> Current Setup:
> I am running 2.4 Debian (Woody Dist) linux box as a router, NAT,
> Firewall using iptables. I want to log constant traffic on both eth0
> and eth1 on the same box. I have been messing around with tcpdump and
> it is not really doing what I want. Maybe it can and I just cant get
> it. Help me out!

> I want to be able to write all traffic to a file that I can view later
> on. But I want simple things like source and destination address from
> the same packet. Tcpdump seems to only be able to capture on a per
> interface basis which does not let me see the other interfaces
> information. I went to tcpdump.org and the man is not helping. Does
> anyone know a better solution then this or can I do it with tcpdump.

> C

As an alternative you could always setup a couple of iptables rules to
do log packets via syslog.  I hope you have a lot storage capacity

To log everything for eth0 for example you can do something like this

iptables -I INPUT 1 -i eth0 -j LOG --log-prefix "eth0-inbound"
iptables -I OUTPUT 1 -i eth0 -j LOG --log-prefix "eth0-outbound"

This inserts a rule at the top of the INPUT and OUTPUT chains that match
everything and log it via syslog.  You can make log-prefix anything you
like to help you distinguish them in the logs.
These rules are examples and pretty crude at that as they will log
absolutely everything hitting eth0.  I advise you read the man page for
iptables as it explains the various options you can use.  Plus take a
read of the iptables documentation.

angel

 
 
 

IPTABLES, TCPDUMP LOGGING

Post by Martin Peiker » Sat, 05 Oct 2002 17:37:26


---8<---

Quote:> iptables -I OUTPUT 1 -i eth0 -j LOG --log-prefix "eth0-outbound"

Instead of '-i' I would prefer '-o' to avoid error messages...

GTi

 
 
 

IPTABLES, TCPDUMP LOGGING

Post by cbieli » Sun, 06 Oct 2002 02:05:43




> ---8<---
> > iptables -I OUTPUT 1 -i eth0 -j LOG --log-prefix "eth0-outbound"

> Instead of '-i' I would prefer '-o' to avoid error messages...

> GTi

For reasons that I cannot say I am working for a company that deals
with the upmost highest security standards that I have ever seen. They
come to me asking for a linux solution to the data transfer and I of
course was e*d :) YES, I need to log everything and storage is not
a problem, but where does this syslog save? is it in the /var/log dir?
Also can I redirect this log to another linux box via through a mount?
I am getting a 4 Terabite Raid running linux for the logs. They are
pretty serious about these logs as you can see :)

C

 
 
 

IPTABLES, TCPDUMP LOGGING

Post by Whoeve » Tue, 08 Oct 2002 08:56:02



Quote:

> For reasons that I cannot say I am working for a company that deals
> with the upmost highest security standards that I have ever seen. They
> come to me asking for a linux solution to the data transfer and I of
> course was e*d :) YES, I need to log everything and storage is not
> a problem, but where does this syslog save? is it in the /var/log dir?
> Also can I redirect this log to another linux box via through a mount?
> I am getting a 4 Terabite Raid running linux for the logs. They are
> pretty serious about these logs as you can see :)

Try running:
man syslogd
man ln
 
 
 

IPTABLES, TCPDUMP LOGGING

Post by Whoeve » Tue, 08 Oct 2002 08:59:37




> > Current Setup:
> > I am running 2.4 Debian (Woody Dist) linux box as a router, NAT,
> > Firewall using iptables. I want to log constant traffic on both eth0
> > and eth1 on the same box. I have been messing around with tcpdump and

> iptables -I INPUT 1 -i eth0 -j LOG --log-prefix "eth0-inbound"
> iptables -I OUTPUT 1 -i eth0 -j LOG --log-prefix "eth0-outbound"

Except that, since the packets are being FORWARDED, they won't go through
the INPUT or OUTPUT chains. You would need to log them in the FORWARD
chain.
 
 
 

1. Any tool to convert tcpdump log to Cisco like netflow log?

Hi,

I find that netflow data from cisco router is quite useful
for network traffic analysis and IDS. I wonder if there is
any tool to convert tcpdump log to Cisco like netflow log?

Thanks.

Regards,

Alan S. H. Lam
Department of Information Engineering, CUHK, Hong Kong

URL: http://www.ie.cuhk.edu.hk/~shlam/

2. migrate to Kernel 2.4

3. Iptables, tcpdump and smtp... Hmmm

4. Controlling scope of bash shell vars

5. iptables and tcpdump

6. COLA FAQ 7 of 7 02-Nov-2002

7. tcpdump and packets filtered by iptables

8. Rdist connection refused?? Help!

9. IPsec tunneling problem: tcpdump and iptables see unencrypted traffic

10. Need help analysing tcpdump logs

11. /var/log/pflog and tcpdump

12. Can someone please explain these tcpdump logs to me?

13. would someone mind posting a tcpdump log?