Re: Logging output UIDs.

To: Sthu Deus <sthu.deus@gmail.com>
Cc: debian-firewall <debian-firewall@lists.debian.org>
Subject: Re: Logging output UIDs.
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Sat, 14 Jul 2012 10:00:47 +0200
Message-id: <[🔎] 5001272F.2040203@plouf.fr.eu.org>
In-reply-to: <[🔎] 50011b8a.8790980a.5d82.ffff8994@mx.google.com>
References: <[🔎] 50011b8a.8790980a.5d82.ffff8994@mx.google.com>

Hello,

Sthu Deus a écrit :
> 
> I try to get UIDs of the processes that generate OUTPUT traffic:
> 
> /sbin/iptables -A OUTPUT -j LOG --log-uid --log-prefix OUTPT->
> --log-level 2
> 
> But I do not get the UIDs:
> 
> OUTPT->IN= OUT=br0 SRC=XXXX DST=ZZZZ LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=48282 DPT=9001 WINDOW=842
> RES=0x00 ACK URGP=0

Is the UID missing for all packets or only for this one ?
According to a quick test, it seems that the last ACK in a TCP
connection does not have a UID (probably because the socket is closed).
Packets generated by the kernel itself (TCP RST, ICMP messages...) do no
have a UID.

> Also, may You know the answer to my curiocity, Why I can not locate '-j
> LOG' in above iptables rule at the end of the rule? - For iptables
> complains about unknown '--log-uid'. - I understand that something is
> then missing before the sufix, but from iptables man. it is not evident
> to me what.

--log-* are options to the LOG target, so iptables does not expect them
before.

Reply to:

References:
- Logging output UIDs.
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: Logging output UIDs.
Next by Date: Re: Logging output UIDs.
Previous by thread: Logging output UIDs.
Next by thread: Re: Logging output UIDs.
Index(es):
- Date
- Thread