[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How can I get all IP transactions (in/out) logged?

Yes iptables can do this.  I know iptables can log to syslog, and
believe there are  ways to make it log to SQL, but I am unfamiliar
with those.

With syslog logging, you will also probably want to look into a syslog
replacement such as syslog-ng where you can separate log data to
multiple files much easier than the usual channels plain syslog

To do this you use the target -j LOG with one or two additional options:

iptables -A input -i ppp0 -j LOG --log-level debug --log-prefix "PACKETLOG-IN"
iptables -A output -o ppp0 -j LOG --log-level debug --log-prefix "PACKETLOG-OUT"
iptables -A forward -i ppp0 -j LOG --log-level debug --log-prefix "PACKETLOG-IN"
iptables -A forward -o ppp0 -j LOG --log-level debug --log-prefix

You can use whichever combination of the above four rules depending on
what you want to log.
#1 logs packets in ppp0 destined to the router/host machine
#2 logs packets out ppp0 sourced from the router/host machine
#3 logs packets in ppp0 destined to something else on your network
#4 logs packets out ppp0 sourced from something else on your network

--log-level has to be a valid syslog type (man syslog.conf)
--log-prefix is a 14 char string prepended to the log message.  This
can be changed to suit your needs, and I would suggest configuring
syslog-ng to pattern match for this string so you can store each
iptables rule's output in a separate file as needed.
You can have two files, in and out, each mixed no matter what its
to/from (as in my examples above) or have the forward and 'to router
host' separated, or any combinations you need.

These logs will get large the more data you pass.  If you store them
for say 24 hours and rotate them as you pass them off to some other
accounting/processing software (one that just stores summary info for
example) and bzip2's the logs, deleting after a couple days, this
shouldn't be bad on a dialup.

-- Jon

On Tue, 27 Jul 2004 12:27:56 -0700, listcomm@ml1.net <listcomm@ml1.net> wrote:
> I just want a basic log file containing the source and
> destination addresses for all traffic in and out of
> via PPP, so that I can keep track of what connections to
> outside IP addresses are made, and from where (externally,
> or from something running on my system) they originated.
> I've turned on the debug mode in PPP but it doesn't seem to
> provide what I want.  For instance, it logs transactions from my
> system to my ISP, but doesn't log what's happening with
> any greater resolution (for instance, if I ping a system
> on the Internet, there's no record of the ping attempt
> in any of the system log files).  The firewall as set up by
> "firestarter" logs blocked firewall penetration attempts, but
> not "legitimate" transactions in and out (perhaps there's a
> method, which I haven't found, to change that?)
> Is there any "built-in" facility that will accomplish
> this, or is it necessary/possible to construct something
> using "iptables", or is there a contributed app that will
> do it?
> I realize that there are log files for the various
> servers and utilities (FTP, etc.) that contain this information
> on a piecemeal basis, but it seems to me that it would make
> more sense to collect it at the connection point(s) in and out
> of the system, at least on an interface-by-interface basis.
> Once again, I'm surprised that a Web search and various site
> searches haven't turned up a solution to this.
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: